check for overflows in permutations() and product() (closes #23363, closes #23364)

61c2e4a0 · Benjamin Peterson · e5ba545f · 61c2e4a0 · 61c2e4a0 · 61c2e4a0
Commit 61c2e4a0 authored Feb 01, 2015 by Benjamin Peterson
Show whitespace changes
Inline Side-by-side

Showing with 32 additions and 2 deletions

Lib/test/test_itertools.py Lib/test/test_itertools.py +12 -0

Misc/NEWS Misc/NEWS +4 -0

Modules/itertoolsmodule.c Modules/itertoolsmodule.c +16 -2

No files found.
--- a/Lib/test/test_itertools.py
+++ b/Lib/test/test_itertools.py
@@ -418,6 +418,13 @@ class TestBasicOps(unittest.TestCase):
                self.pickletest(permutations(values, r))                # test pickling
+    @support.bigaddrspacetest
+    def test_permutations_overflow(self):
+        with self.assertRaises(OverflowError):
+            permutations("A", 2**30)
+        with self.assertRaises(OverflowError):
+            permutations("A", 2, 2**30)
    @support.impl_detail("tuple resuse is CPython specific")
    def test_permutations_tuple_reuse(self):
        self.assertEqual(len(set(map(id, permutations('abcde', 3)))), 1)
@@ -930,6 +937,11 @@ class TestBasicOps(unittest.TestCase):
            args = map(iter, args)
            self.assertEqual(len(list(product(*args))), expected_len)
+    @support.bigaddrspacetest
+    def test_product_overflow(self):
+        with self.assertRaises(OverflowError):
+            product(["a"]*(2**16), repeat=2**16)
    @support.impl_detail("tuple reuse is specific to CPython")
    def test_product_tuple_reuse(self):
        self.assertEqual(len(set(map(id, product('abc', 'def')))), 1)

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,10 @@ Core and Builtins
 Library
 -------
+- Issue #23363: Fix possible overflow in itertools.permutations.
+- Issue #23364: Fix possible overflow in itertools.product.
 - Issue #23369: Fixed possible integer overflow in
  _json.encode_basestring_ascii.

--- a/Modules/itertoolsmodule.c
+++ b/Modules/itertoolsmodule.c
@@ -1998,8 +1998,17 @@ product_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
        }
    }
-    assert(PyTuple_Check(args));
+    assert(PyTuple_CheckExact(args));
-    nargs = (repeat == 0) ? 0 : PyTuple_GET_SIZE(args);
+    if (repeat == 0) {
+        nargs = 0;
+    } else {
+        nargs = PyTuple_GET_SIZE(args);
+        if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+            nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) {
+            PyErr_SetString(PyExc_OverflowError, "repeat argument too large");
+            return NULL;
+        }
+    }
    npools = nargs * repeat;
    indices = PyMem_Malloc(npools * sizeof(Py_ssize_t));
@@ -2992,6 +3001,11 @@ permutations_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
        goto error;
    }
+    if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
+        r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
+        PyErr_SetString(PyExc_OverflowError, "parameters too large");
+        goto error;
+    }
    indices = PyMem_Malloc(n * sizeof(Py_ssize_t));
    cycles = PyMem_Malloc(r * sizeof(Py_ssize_t));
    if (indices == NULL || cycles == NULL) {