From 84f07c3a4cbcfe488ccfb4030571be0bc4de7e45 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Tue, 19 Nov 2024 09:13:20 +0100 Subject: [PATCH] gh-126594: Fix typeobject.c wrap_buffer() cast (#126754) Reject flags smaller than INT_MIN. Co-authored-by: Jelle Zijlstra --- Lib/test/test_buffer.py | 15 +++++++++++++++ Objects/typeobject.c | 6 +++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_buffer.py b/Lib/test/test_buffer.py index cb38a69e390..332e49ce9f1 100644 --- a/Lib/test/test_buffer.py +++ b/Lib/test/test_buffer.py @@ -4446,6 +4446,21 @@ def test_pybuffer_size_from_format(self): self.assertEqual(_testcapi.PyBuffer_SizeFromFormat(format), struct.calcsize(format)) + @support.cpython_only + def test_flags_overflow(self): + # gh-126594: Check for integer overlow on large flags + try: + from _testcapi import INT_MIN, INT_MAX + except ImportError: + INT_MIN = -(2 ** 31) + INT_MAX = 2 ** 31 - 1 + + obj = b'abc' + for flags in (INT_MIN - 1, INT_MAX + 1): + with self.subTest(flags=flags): + with self.assertRaises(OverflowError): + obj.__buffer__(flags) + class TestPythonBufferProtocol(unittest.TestCase): def test_basic(self): diff --git a/Objects/typeobject.c b/Objects/typeobject.c index a6cf3da542b..840d004d3d9 100644 --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -9314,13 +9314,13 @@ wrap_buffer(PyObject *self, PyObject *args, void *wrapped) if (flags == -1 && PyErr_Occurred()) { return NULL; } - if (flags > INT_MAX) { + if (flags > INT_MAX || flags < INT_MIN) { PyErr_SetString(PyExc_OverflowError, - "buffer flags too large"); + "buffer flags out of range"); return NULL; } - return _PyMemoryView_FromBufferProc(self, Py_SAFE_DOWNCAST(flags, Py_ssize_t, int), + return _PyMemoryView_FromBufferProc(self, (int)flags, (getbufferproc)wrapped); }