-
-
Notifications
You must be signed in to change notification settings - Fork 32.4k
Open
Labels
3.13bugs and security fixesbugs and security fixes3.14bugs and security fixesbugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)(Objects, Python, Grammar, and Parser dirs)type-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or error
Description
There is a potential signed integer overflow in the expression:
Line 1365 in 132b6bc
j = oparg + i + INLINE_CACHE_ENTRIES_SEND + 1; |
This occurs in the loop:
Line 1329 in 132b6bc
for (int i = 0; i < len;) { |
len
is derived from a Py_SIZE
cast, and it can possibly be INT_MAX
:Lines 1728 to 1730 in 132b6bc
/* PyCode_NewWithPosOnlyArgs limits co_code to be under INT_MAX so this | |
* should never overflow. */ | |
int len = (int)Py_SIZE(code); |
It means that sum can theoretically exceed
INT_MAX
if len
is near the limit, triggering undefined behavior due to signed integer overflow.
Linked PRs
Metadata
Metadata
Assignees
Labels
3.13bugs and security fixesbugs and security fixes3.14bugs and security fixesbugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)(Objects, Python, Grammar, and Parser dirs)type-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or error