search

python / cpython

The Python programming language
https://www.python.org
Other
63.49k stars 30.4k forks source link

Possible overflow in typeobject.c:tail_contains #126862

Open federicovalenso opened 4 hours ago

federicovalenso commented 4 hours ago

Bug report

Bug description:

whence+1 could lead to overflow for large value of whence. I think changing type from int to _Py_ssizet could fix the problem (remain is input parameter):

static int
pmerge(PyObject *acc, PyObject **to_merge, Py_ssize_t to_merge_size)
{
...
    remain = PyMem_New(Py_ssize_t, to_merge_size);

CPython versions tested on:

3.11

Operating systems tested on:

Linux

picnixz commented 4 hours ago

This one is used in

        candidate = PyTuple_GET_ITEM(cur_tuple, remain[i]);
        for (j = 0; j < to_merge_size; j++) {
            PyObject *j_lst = to_merge[j];
            if (tail_contains(j_lst, remain[j], candidate))
                goto skip; /* continue outer loop */
        }

and for the MRO resolution. Unless we have a VERY huge list of parent classes, I don't think we would hit the overflow.

picnixz commented 4 hours ago

cc @JelleZijlstra

federicovalenso commented 4 hours ago

@picnixz , should I try to overflow inheritance list? :) Or is there already protection against this?

picnixz commented 4 hours ago

Yes, if you can make it happen! (I don't know whether there's a protection)