bpo-31619: Fixed integer overflow in converting huge strings to int. (#3884)

29ba6880 · Serhiy Storchaka · GitHub · 1fb72d2a · 29ba6880
Commit 29ba6880 authored Dec 03, 2017 by Serhiy Storchaka Committed by GitHub Dec 03, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 3 deletions

Objects/longobject.c Objects/longobject.c +11 -3

No files found.
--- a/Objects/longobject.c
+++ b/Objects/longobject.c
@@ -2024,7 +2024,7 @@ long_from_binary_base(const char **str, int base, PyLongObject **res)
    const char *p = *str;
    const char *start = p;
    char prev = 0;
-    int digits = 0;
+    Py_ssize_t digits = 0;
    int bits_per_char;
    Py_ssize_t n;
    PyLongObject *z;
@@ -2267,8 +2267,9 @@ just 1 digit at the start, so that the copying code was exercised for every
 digit beyond the first.
 ***/
        twodigits c;           /* current input character */
+        double fsize_z;
        Py_ssize_t size_z;
-        int digits = 0;
+        Py_ssize_t digits = 0;
        int i;
        int convwidth;
        twodigits convmultmax, convmult;
@@ -2330,7 +2331,14 @@ digit beyond the first.
         * need to initialize z->ob_digit -- no slot is read up before
         * being stored into.
         */
-        size_z = (Py_ssize_t)(digits * log_base_BASE[base]) + 1;
+        fsize_z = digits * log_base_BASE[base] + 1;
+        if (fsize_z > MAX_LONG_DIGITS) {
+            /* The same exception as in _PyLong_New(). */
+            PyErr_SetString(PyExc_OverflowError,
+                            "too many digits in integer");
+            return NULL;
+        }
+        size_z = (Py_ssize_t)fsize_z;
        /* Uncomment next line to test exceedingly rare copy code */
        /* size_z = 1; */
        assert(size_z > 0);