[Python-checkins] [3.10] GH-93964: Harden overflow checks before _PyBytes_Resize in compile.c (GH-94045)
markshannon
webhook-mailer at python.org
Wed Jun 22 04:38:01 EDT 2022
https://github.com/python/cpython/commit/08069bac3bd85a6f9eb70d1bcf731d587148ed30
commit: 08069bac3bd85a6f9eb70d1bcf731d587148ed30
branch: 3.10
author: Dennis Sweeney <36520290+sweeneyde at users.noreply.github.com>
committer: markshannon <mark at hotpy.org>
date: 2022-06-22T09:37:56+01:00
summary:
[3.10] GH-93964: Harden overflow checks before _PyBytes_Resize in compile.c (GH-94045)
files:
A Misc/NEWS.d/next/Core and Builtins/2022-06-21-05-07-00.gh-issue-93964.Cg1LE7.rst
M Python/compile.c
diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-06-21-05-07-00.gh-issue-93964.Cg1LE7.rst b/Misc/NEWS.d/next/Core and Builtins/2022-06-21-05-07-00.gh-issue-93964.Cg1LE7.rst
new file mode 100644
index 0000000000000..b184a7b2f7116
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2022-06-21-05-07-00.gh-issue-93964.Cg1LE7.rst
@@ -0,0 +1 @@
+Strengthened compiler overflow checks to prevent crashes when compiling very large source files.
diff --git a/Python/compile.c b/Python/compile.c
index 7210d42fc7699..90fae6328f416 100644
--- a/Python/compile.c
+++ b/Python/compile.c
@@ -6605,9 +6605,16 @@ static int
assemble_emit_linetable_pair(struct assembler *a, int bdelta, int ldelta)
{
Py_ssize_t len = PyBytes_GET_SIZE(a->a_lnotab);
- if (a->a_lnotab_off + 2 >= len) {
- if (_PyBytes_Resize(&a->a_lnotab, len * 2) < 0)
+ if (a->a_lnotab_off > INT_MAX - 2) {
+ goto overflow;
+ }
+ if (a->a_lnotab_off >= len - 2) {
+ if (len > INT_MAX / 2) {
+ goto overflow;
+ }
+ if (_PyBytes_Resize(&a->a_lnotab, len * 2) < 0) {
return 0;
+ }
}
unsigned char *lnotab = (unsigned char *) PyBytes_AS_STRING(a->a_lnotab);
lnotab += a->a_lnotab_off;
@@ -6615,6 +6622,9 @@ assemble_emit_linetable_pair(struct assembler *a, int bdelta, int ldelta)
*lnotab++ = bdelta;
*lnotab++ = ldelta;
return 1;
+overflow:
+ PyErr_SetString(PyExc_OverflowError, "line number table is too long");
+ return 0;
}
/* Appends a range to the end of the line number table. See
@@ -6687,14 +6697,17 @@ assemble_emit(struct assembler *a, struct instr *i)
int size, arg = 0;
Py_ssize_t len = PyBytes_GET_SIZE(a->a_bytecode);
_Py_CODEUNIT *code;
-
arg = i->i_oparg;
size = instrsize(arg);
if (i->i_lineno && !assemble_lnotab(a, i))
return 0;
+ if (a->a_offset > INT_MAX - size) {
+ goto overflow;
+ }
if (a->a_offset + size >= len / (int)sizeof(_Py_CODEUNIT)) {
- if (len > PY_SSIZE_T_MAX / 2)
- return 0;
+ if (len > INT_MAX / 2) {
+ goto overflow;
+ }
if (_PyBytes_Resize(&a->a_bytecode, len * 2) < 0)
return 0;
}
@@ -6702,6 +6715,9 @@ assemble_emit(struct assembler *a, struct instr *i)
a->a_offset += size;
write_op_arg(code, i->i_opcode, arg, size);
return 1;
+overflow:
+ PyErr_SetString(PyExc_OverflowError, "bytecode is too long");
+ return 0;
}
static void
More information about the Python-checkins
mailing list