bpo-36946: Fix possible signed integer overflow when handling slices. (GH-13375)

The final addition (cur += step) may overflow, so use size_t for "cur". "cur" is always positive (even for negative steps), so it is safe to use size_t here. Co-Authored-By: Martin Panter <vadmium+py@gmail.com>
2019-05-17 01:13:03 -06:00
parent 870b035bc6
commit 14514d9084
15 changed files with 45 additions and 19 deletions
--- a/Objects/tupleobject.c
+++ b/Objects/tupleobject.c
@@ -753,7 +753,8 @@ tuplesubscript(PyTupleObject* self, PyObject* item)
        return tupleitem(self, i);
    }
    else if (PySlice_Check(item)) {
-        Py_ssize_t start, stop, step, slicelength, cur, i;
+        Py_ssize_t start, stop, step, slicelength, i;
+        size_t cur;
        PyObject* result;
        PyObject* it;
        PyObject **src, **dest;