SF patch 514641 (Naofumi Honda) - Negative ob_size of LongObjects

Due to the bizarre definition of _PyLong_Copy(), creating an instance of a subclass of long with a negative value could cause core dumps later on. Unfortunately it looks like the behavior of _PyLong_Copy() is quite intentional, so the fix is more work than feels comfortable. This fix is almost, but not quite, the code that Naofumi Honda added; in addition, I added a test case.
2025-08-03 08:34:29 +00:00 · 2002-03-01 22:24:49 +00:00 · 2002-03-01 22:24:49 +00:00 · 2eb0b87d14
commit 2eb0b87d14
parent 6f33250ef9
4 changed files with 23 additions and 4 deletions
--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@ -933,8 +933,16 @@ PyNumber_Long(PyObject *o)
 		Py_INCREF(o);
 		return o;
 	}
-	if (PyLong_Check(o))
-		return _PyLong_Copy((PyLongObject *)o);
+	if (PyLong_Check(o)) {
+		PyObject *res;
+
+		res = _PyLong_Copy((PyLongObject *)o);
+		if (res != NULL)
+			((PyLongObject *)res)->ob_size =
+				((PyLongObject *)o)->ob_size;
+
+		return res;
+	}
 	if (PyString_Check(o))
 		/* need to do extra error checking that PyLong_FromString() 
 		 * doesn't do.  In particular long('9.5') must raise an
--- a/Objects/object.c
+++ b/Objects/object.c
@ -1191,8 +1191,14 @@ _PyObject_GetDictPtr(PyObject *obj)
 	if (dictoffset == 0)
 		return NULL;
 	if (dictoffset < 0) {
-		const size_t size = _PyObject_VAR_SIZE(tp,
-					((PyVarObject *)obj)->ob_size);
+		int tsize;
+		size_t size;
+
+		tsize = ((PyVarObject *)obj)->ob_size;
+		if (tsize < 0)
+			tsize = -tsize;
+		size = _PyObject_VAR_SIZE(tp, tsize);
+
 		dictoffset += (long)size;
 		assert(dictoffset > 0);
 		assert(dictoffset % SIZEOF_VOID_P == 0);