Skip to content

Commit 08069ba

Browse files
sweeneydesweeneyde
authored
[3.10] GH-93964: Harden overflow checks before _PyBytes_Resize in compile.c (GH-94045)
1 parent ad2e9f9 commit 08069ba

File tree

2 files changed

+22
-5
lines changed

2 files changed

+22
-5
lines changed

Misc/NEWS.d/next/Core and Builtins/2022-06-21-05-07-00.gh-issue-93964.Cg1LE7.rst

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Strengthened compiler overflow checks to prevent crashes when compiling very large source files.

Python/compile.c

+21-5
Original file line numberDiff line numberDiff line change
@@ -6605,16 +6605,26 @@ static int
66056605
assemble_emit_linetable_pair(struct assembler *a, int bdelta, int ldelta)
66066606
{
66076607
Py_ssize_t len = PyBytes_GET_SIZE(a->a_lnotab);
6608-
if (a->a_lnotab_off + 2 >= len) {
6609-
if (_PyBytes_Resize(&a->a_lnotab, len * 2) < 0)
6608+
if (a->a_lnotab_off > INT_MAX - 2) {
6609+
goto overflow;
6610+
}
6611+
if (a->a_lnotab_off >= len - 2) {
6612+
if (len > INT_MAX / 2) {
6613+
goto overflow;
6614+
}
6615+
if (_PyBytes_Resize(&a->a_lnotab, len * 2) < 0) {
66106616
return 0;
6617+
}
66116618
}
66126619
unsigned char *lnotab = (unsigned char *) PyBytes_AS_STRING(a->a_lnotab);
66136620
lnotab += a->a_lnotab_off;
66146621
a->a_lnotab_off += 2;
66156622
*lnotab++ = bdelta;
66166623
*lnotab++ = ldelta;
66176624
return 1;
6625+
overflow:
6626+
PyErr_SetString(PyExc_OverflowError, "line number table is too long");
6627+
return 0;
66186628
}
66196629

66206630
/* Appends a range to the end of the line number table. See
@@ -6687,21 +6697,27 @@ assemble_emit(struct assembler *a, struct instr *i)
66876697
int size, arg = 0;
66886698
Py_ssize_t len = PyBytes_GET_SIZE(a->a_bytecode);
66896699
_Py_CODEUNIT *code;
6690-
66916700
arg = i->i_oparg;
66926701
size = instrsize(arg);
66936702
if (i->i_lineno && !assemble_lnotab(a, i))
66946703
return 0;
6704+
if (a->a_offset > INT_MAX - size) {
6705+
goto overflow;
6706+
}
66956707
if (a->a_offset + size >= len / (int)sizeof(_Py_CODEUNIT)) {
6696-
if (len > PY_SSIZE_T_MAX / 2)
6697-
return 0;
6708+
if (len > INT_MAX / 2) {
6709+
goto overflow;
6710+
}
66986711
if (_PyBytes_Resize(&a->a_bytecode, len * 2) < 0)
66996712
return 0;
67006713
}
67016714
code = (_Py_CODEUNIT *)PyBytes_AS_STRING(a->a_bytecode) + a->a_offset;
67026715
a->a_offset += size;
67036716
write_op_arg(code, i->i_opcode, arg, size);
67046717
return 1;
6718+
overflow:
6719+
PyErr_SetString(PyExc_OverflowError, "bytecode is too long");
6720+
return 0;
67056721
}
67066722

67076723
static void

0 commit comments

Comments
 (0)