Issue #25021: Correctly make sure that product.__setstate__ does not access

invalid memory.
parent fa40b1b5
...@@ -959,6 +959,16 @@ class TestBasicOps(unittest.TestCase): ...@@ -959,6 +959,16 @@ class TestBasicOps(unittest.TestCase):
self.assertEqual(list(copy.deepcopy(product(*args))), result) self.assertEqual(list(copy.deepcopy(product(*args))), result)
self.pickletest(product(*args)) self.pickletest(product(*args))
def test_product_issue_25021(self):
# test that indices are properly clamped to the length of the tuples
p = product((1, 2),(3,))
p.__setstate__((0, 0x1000)) # will access tuple element 1 if not clamped
self.assertEqual(next(p), (2, 3))
# test that empty tuple in the list will result in an immediate StopIteration
p = product((1, 2), (), (3,))
p.__setstate__((0, 0, 0x1000)) # will access tuple element 1 if not clamped
self.assertRaises(StopIteration, next, p)
def test_repeat(self): def test_repeat(self):
self.assertEqual(list(repeat(object='a', times=3)), ['a', 'a', 'a']) self.assertEqual(list(repeat(object='a', times=3)), ['a', 'a', 'a'])
self.assertEqual(lzip(range(3),repeat('a')), self.assertEqual(lzip(range(3),repeat('a')),
......
...@@ -2205,13 +2205,21 @@ product_setstate(productobject *lz, PyObject *state) ...@@ -2205,13 +2205,21 @@ product_setstate(productobject *lz, PyObject *state)
{ {
PyObject* indexObject = PyTuple_GET_ITEM(state, i); PyObject* indexObject = PyTuple_GET_ITEM(state, i);
Py_ssize_t index = PyLong_AsSsize_t(indexObject); Py_ssize_t index = PyLong_AsSsize_t(indexObject);
PyObject* pool;
Py_ssize_t poolsize;
if (index < 0 && PyErr_Occurred()) if (index < 0 && PyErr_Occurred())
return NULL; /* not an integer */ return NULL; /* not an integer */
pool = PyTuple_GET_ITEM(lz->pools, i);
poolsize = PyTuple_GET_SIZE(pool);
if (poolsize == 0) {
lz->stopped = 1;
Py_RETURN_NONE;
}
/* clamp the index */ /* clamp the index */
if (index < 0) if (index < 0)
index = 0; index = 0;
else if (index > n-1) else if (index > poolsize-1)
index = n-1; index = poolsize-1;
lz->indices[i] = index; lz->indices[i] = index;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment