Check sequence multiply for length overflow

Fixes #1279
2019-02-04 15:33:36 -08:00 · 2019-02-04 15:33:36 -08:00 · c60f77d5ab
commit c60f77d5ab
parent 9bcc38e995
5 changed files with 17 additions and 3 deletions
--- a/py/obj.h
+++ b/py/obj.h
@ -844,6 +844,8 @@ typedef struct {
    mp_int_t step;
 } mp_bound_slice_t;

+// Compute the new length of a sequence and ensure an exception is thrown on overflow.
+size_t mp_seq_multiply_len(size_t item_sz, size_t len);
 void mp_seq_multiply(const void *items, size_t item_sz, size_t len, size_t times, void *dest);
 #if MICROPY_PY_BUILTINS_SLICE
 bool mp_seq_get_fast_slice_indexes(mp_uint_t len, mp_obj_t slice, mp_bound_slice_t *indexes);
--- a/py/objlist.c
+++ b/py/objlist.c
@ -126,7 +126,8 @@ STATIC mp_obj_t list_binary_op(mp_binary_op_t op, mp_obj_t lhs, mp_obj_t rhs) {
            if (n < 0) {
                n = 0;
            }
-            mp_obj_list_t *s = list_new(o->len * n);
+            size_t new_len = mp_seq_multiply_len(o->len, n);
+            mp_obj_list_t *s = list_new(new_len);
            mp_seq_multiply(o->items, sizeof(*o->items), o->len, n, s->items);
            return MP_OBJ_FROM_PTR(s);
        }
--- a/py/objstr.c
+++ b/py/objstr.c
@ -332,8 +332,9 @@ mp_obj_t mp_obj_str_binary_op(mp_binary_op_t op, mp_obj_t lhs_in, mp_obj_t rhs_i
                return mp_const_empty_bytes;
            }
        }
+        size_t new_len = mp_seq_multiply_len(lhs_len, n);
        vstr_t vstr;
-        vstr_init_len(&vstr, lhs_len * n);
+        vstr_init_len(&vstr, new_len);
        mp_seq_multiply(lhs_data, sizeof(*lhs_data), lhs_len, n, vstr.buf);
        return mp_obj_new_str_from_vstr(lhs_type, &vstr);
    }
--- a/py/objtuple.c
+++ b/py/objtuple.c
@ -160,7 +160,8 @@ mp_obj_t mp_obj_tuple_binary_op(mp_binary_op_t op, mp_obj_t lhs, mp_obj_t rhs) {
            if (n <= 0) {
                return mp_const_empty_tuple;
            }
-            mp_obj_tuple_t *s = MP_OBJ_TO_PTR(mp_obj_new_tuple(o->len * n, NULL));
+            size_t new_len = mp_seq_multiply_len(o->len, n);
+            mp_obj_tuple_t *s = MP_OBJ_TO_PTR(mp_obj_new_tuple(new_len, NULL));
            mp_seq_multiply(o->items, sizeof(*o->items), o->len, n, s->items);
            return MP_OBJ_FROM_PTR(s);
        }
--- a/py/sequence.c
+++ b/py/sequence.c
@ -34,6 +34,15 @@

 #define SWAP(type, var1, var2) { type t = var2; var2 = var1; var1 = t; }

+// Detect when a multiply causes an overflow.
+size_t mp_seq_multiply_len(size_t item_sz, size_t len) {
+    size_t new_len;
+    if (__builtin_umul_overflow(item_sz, len, &new_len)) {
+        mp_raise_msg(&mp_type_OverflowError, translate("small int overflow"));
+    }
+    return new_len;
+}
+
 // Implements backend of sequence * integer operation. Assumes elements are
 // memory-adjacent in sequence.
 void mp_seq_multiply(const void *items, size_t item_sz, size_t len, size_t times, void *dest) {