Skip to content

Potential Integer Overflow in mark_stacks function #132771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rialbat opened this issue Apr 21, 2025 · 0 comments
Open

Potential Integer Overflow in mark_stacks function #132771

rialbat opened this issue Apr 21, 2025 · 0 comments
Labels
3.13 bugs and security fixes 3.14 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error

Comments

@rialbat
Copy link
Contributor

rialbat commented Apr 21, 2025
edited by bedevere-app bot
Loading

There is a potential signed integer overflow in the expression:

cpython/Objects/frameobject.c

Line 1365 in 132b6bc

j = oparg + i + INLINE_CACHE_ENTRIES_SEND + 1;

This occurs in the loop:

cpython/Objects/frameobject.c

Line 1329 in 132b6bc

for (int i = 0; i < len;) {

len is derived from a Py_SIZE cast, and it can possibly be INT_MAX:

cpython/Objects/frameobject.c

Lines 1728 to 1730 in 132b6bc

/* PyCode_NewWithPosOnlyArgs limits co_code to be under INT_MAX so this
* should never overflow. */
int len = (int)Py_SIZE(code);

It means that sum can theoretically exceed INT_MAX if len is near the limit, triggering undefined behavior due to signed integer overflow.

Linked PRs
@ZeroIntensity ZeroIntensity added type-bug An unexpected behavior, bug, or error interpreter-core (Objects, Python, Grammar, and Parser dirs) 3.13 bugs and security fixes 3.14 new features, bugs and security fixes labels Apr 21, 2025
rialbat added a commit to rialbat/cpython that referenced this issue Apr 21, 2025
@rialbat
pythongh-132771: Fixed potential Integer Overflow in mark_stacks func…
9bf62e7 
…tion
@bedevere-app bedevere-app bot mentioned this issue Apr 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.13 bugs and security fixes 3.14 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rialbat @ZeroIntensity