Skip to content

Potential Integer Overflow in mark_stacks function #132771

New issue
New issue
Open
Open
Potential Integer Overflow in mark_stacks function#132771
Labels
3.13bugs and security fixes3.14bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)type-bugAn unexpected behavior, bug, or error
@rialbat

Description

@rialbat
rialbat
opened on Apr 21, 2025

There is a potential signed integer overflow in the expression:

cpython/Objects/frameobject.c

Line 1365 in 132b6bc

j = oparg + i + INLINE_CACHE_ENTRIES_SEND + 1;

This occurs in the loop:

cpython/Objects/frameobject.c

Line 1329 in 132b6bc

for (int i = 0; i < len;) {

len is derived from a Py_SIZE cast, and it can possibly be INT_MAX:

cpython/Objects/frameobject.c

Lines 1728 to 1730 in 132b6bc

/* PyCode_NewWithPosOnlyArgs limits co_code to be under INT_MAX so this
* should never overflow. */
int len = (int)Py_SIZE(code);

It means that sum can theoretically exceed INT_MAX if len is near the limit, triggering undefined behavior due to signed integer overflow.

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.13bugs and security fixes3.14bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)type-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions