Commit 0eaabf1c authored by Benjamin Peterson's avatar Benjamin Peterson

check for overflows in permutations() and product() (closes #23363, closes #23364)

parent 6f082297
......@@ -418,6 +418,13 @@ class TestBasicOps(unittest.TestCase):
self.pickletest(permutations(values, r)) # test pickling
@support.bigaddrspacetest
def test_permutations_overflow(self):
with self.assertRaises(OverflowError):
permutations("A", 2**30)
with self.assertRaises(OverflowError):
permutations("A", 2, 2**30)
@support.impl_detail("tuple resuse is CPython specific")
def test_permutations_tuple_reuse(self):
self.assertEqual(len(set(map(id, permutations('abcde', 3)))), 1)
......@@ -930,6 +937,11 @@ class TestBasicOps(unittest.TestCase):
args = map(iter, args)
self.assertEqual(len(list(product(*args))), expected_len)
@support.bigaddrspacetest
def test_product_overflow(self):
with self.assertRaises(OverflowError):
product(["a"]*(2**16), repeat=2**16)
@support.impl_detail("tuple reuse is specific to CPython")
def test_product_tuple_reuse(self):
self.assertEqual(len(set(map(id, product('abc', 'def')))), 1)
......
......@@ -16,6 +16,10 @@ Core and Builtins
Library
-------
- Issue #23363: Fix possible overflow in itertools.permutations.
- Issue #23364: Fix possible overflow in itertools.product.
- Issue #23369: Fixed possible integer overflow in
_json.encode_basestring_ascii.
......
......@@ -1998,8 +1998,17 @@ product_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
}
}
assert(PyTuple_Check(args));
nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args);
assert(PyTuple_CheckExact(args));
if (repeat == 0) {
nargs = 0;
} else {
nargs = PyTuple_GET_SIZE(args);
if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) {
PyErr_SetString(PyExc_OverflowError, "repeat argument too large");
return NULL;
}
}
npools = nargs * repeat;
indices = PyMem_Malloc(npools * sizeof(Py_ssize_t));
......@@ -2992,6 +3001,11 @@ permutations_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
goto error;
}
if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
PyErr_SetString(PyExc_OverflowError, "parameters too large");
goto error;
}
indices = PyMem_Malloc(n * sizeof(Py_ssize_t));
cycles = PyMem_Malloc(r * sizeof(Py_ssize_t));
if (indices == NULL || cycles == NULL) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment