[Python-checkins] cpython (2.7): check for overflows in permutations() and product() (closes #23363, closes

[benjamin.peterson]

https://hg.python.org/cpython/rev/acc2c3479f2e
changeset:   94459:acc2c3479f2e
branch:      2.7
parent:      94455:366018a91457
user:        Benjamin Peterson <benjamin at python.org>
date:        Sun Feb 01 21:34:07 2015 -0500
summary:
  check for overflows in permutations() and product() (closes #23363, closes #23364)

files:
  Lib/test/test_itertools.py |  12 ++++++++++++
  Misc/NEWS                  |   4 ++++
  Modules/itertoolsmodule.c  |  18 ++++++++++++++++--
  3 files changed, 32 insertions(+), 2 deletions(-)


diff --git a/Lib/test/test_itertools.py b/Lib/test/test_itertools.py
--- a/Lib/test/test_itertools.py
+++ b/Lib/test/test_itertools.py
@@ -284,6 +284,13 @@
                     self.assertEqual(result, list(permutations(values, None))) # test r as None
                     self.assertEqual(result, list(permutations(values)))       # test default r
 
+    @test_support.bigaddrspacetest
+    def test_permutations_overflow(self):
+        with self.assertRaises(OverflowError):
+            permutations("A", 2**30)
+        with self.assertRaises(OverflowError):
+            permutations("A", 2, 2**30)
+
     @test_support.impl_detail("tuple reuse is specific to CPython")
     def test_permutations_tuple_reuse(self):
         self.assertEqual(len(set(map(id, permutations('abcde', 3)))), 1)
@@ -702,6 +709,11 @@
             args = map(iter, args)
             self.assertEqual(len(list(product(*args))), expected_len)
 
+    @test_support.bigaddrspacetest
+    def test_product_overflow(self):
+        with self.assertRaises(OverflowError):
+            product(["a"]*(2**16), repeat=2**16)
+
     @test_support.impl_detail("tuple reuse is specific to CPython")
     def test_product_tuple_reuse(self):
         self.assertEqual(len(set(map(id, product('abc', 'def')))), 1)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,6 +18,10 @@
 Library
 -------
 
+- Issue #23363: Fix possible overflow in itertools.permutations.
+
+- Issue #23364: Fix possible overflow in itertools.product.
+
 - Issue #23365: Fixed possible integer overflow in
   itertools.combinations_with_replacement.
 
diff --git a/Modules/itertoolsmodule.c b/Modules/itertoolsmodule.c
--- a/Modules/itertoolsmodule.c
+++ b/Modules/itertoolsmodule.c
@@ -1842,8 +1842,17 @@
         }
     }
 
-    assert(PyTuple_Check(args));
-    nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args);
+    assert(PyTuple_CheckExact(args));
+    if (repeat == 0) {
+        nargs = 0;
+    } else {
+        nargs = PyTuple_GET_SIZE(args);
+        if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+            nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) {
+            PyErr_SetString(PyExc_OverflowError, "repeat argument too large");
+            return NULL;
+        }
+    }
     npools = nargs * repeat;
 
     indices = PyMem_Malloc(npools * sizeof(Py_ssize_t));
@@ -2603,6 +2612,11 @@
         goto error;
     }
 
+    if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+        r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
+        PyErr_SetString(PyExc_OverflowError, "parameters too large");
+        goto error;
+    }
     indices = PyMem_Malloc(n * sizeof(Py_ssize_t));
     cycles = PyMem_Malloc(r * sizeof(Py_ssize_t));
     if (indices == NULL || cycles == NULL) {

-- 
Repository URL: https://hg.python.org/cpython