Skip to content

gh-153689: Fix integer overflows in PyObject_CopyData#153690

Open
imabd645 wants to merge 1 commit into
python:mainfrom
imabd645:fix-buffer-overflows
Open

gh-153689: Fix integer overflows in PyObject_CopyData#153690
imabd645 wants to merge 1 commit into
python:mainfrom
imabd645:fix-buffer-overflows

Conversation

@imabd645

@imabd645 imabd645 commented Jul 14, 2026

Copy link
Copy Markdown

Summary

This PR addresses two integer overflow vulnerabilities explicitly marked by developers with XXX(nnorwitz) in Objects/abstract.c, specifically within PyObject_CopyData when handling the Buffer API.

If a multi-dimensional buffer object is provided with artificially large dimensions or shape array entries, it could wrap around integer variables leading to heap memory corruption or incomplete copy logic.

Changes made

  1. Prevent allocation overflow: Added a check to ensure view_src.ndim is within PyBUF_MAX_NDIM before attempting memory allocation for indices, guaranteeing sizeof(Py_ssize_t) * ndim will never integer-overflow.
  2. Prevent element count overflow: Added an overflow check within the element counting loop (elements > PY_SSIZE_T_MAX / view_src.shape[k]) that returns a standard BufferError instead of overflowing the Py_ssize_t counter.

The appropriate blurb entry for Misc/NEWS.d has been generated and included in this commit.

@bedevere-app

bedevere-app Bot commented Jul 14, 2026

Copy link
Copy Markdown

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@python-cla-bot

python-cla-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown

All commit authors signed the Contributor License Agreement.

CLA signed

@imabd645 imabd645 force-pushed the fix-buffer-overflows branch from c5f47dd to 07bd45d Compare July 14, 2026 08:08
@picnixz picnixz changed the title gh-153689: Fix integer overflow vulnerabilities in PyObject_CopyData gh-153689: Fix integer overflows in PyObject_CopyData Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Potential integer overflows in Objects/abstract.c buffer copy APIs

1 participant