fix overflow in frame's stacksizes

picnixz · picnixz · commit dbf3d61fedd9 · 2024-10-29T11:43:23.000+01:00
diff --git a/Lib/test/test_code.py b/Lib/test/test_code.py
@@ -523,6 +523,18 @@ def test_code_equal_with_instrumentation(self):
         self.assertNotEqual(code1, code2)
         sys.settrace(None)
 
+    def test_co_stacksize_overflow(self):
+        # See: https://github.com/python/cpython/issues/126119.
+
+        # Since co_framesize = nlocalsplus + co_stacksize + FRAME_SPECIALS_SIZE,
+        # we need to check that co_stacksize is not too large. We could fortify
+        # the test by explicitly checking that bound, but this needs to expose
+        # FRAME_SPECIALS_SIZE and a getter for 'nlocalsplus'.
+
+        c = (lambda: ...).__code__
+        with self.assertRaisesRegex(OverflowError, "co_stacksize"):
+            c.__replace__(co_stacksize=2147483647)
+
 
 def isinterned(s):
     return s is sys.intern(('_' + s + '_')[1:-1])
diff --git a/Objects/codeobject.c b/Objects/codeobject.c
@@ -436,7 +436,12 @@ _PyCode_Validate(struct _PyCodeConstructor *con)
         PyErr_SetString(PyExc_ValueError, "code: co_varnames is too small");
         return -1;
     }
-
+    /* Ensure that the framesize will not overflow */
+    int nlocalsplus = (int)PyTuple_GET_SIZE(con->localsplusnames);
+    if (con->stacksize >= INT_MAX - nlocalsplus - FRAME_SPECIALS_SIZE) {
+        PyErr_SetString(PyExc_OverflowError, "code: co_stacksize is too large");
+        return -1;
+    }
     return 0;
 }
 
diff --git a/Objects/frameobject.c b/Objects/frameobject.c
@@ -1804,11 +1804,22 @@ PyDoc_STRVAR(clear__doc__,
 static PyObject *
 frame_sizeof(PyFrameObject *f, PyObject *Py_UNUSED(ignored))
 {
-    Py_ssize_t res;
-    res = offsetof(PyFrameObject, _f_frame_data) + offsetof(_PyInterpreterFrame, localsplus);
+    Py_ssize_t res = offsetof(PyFrameObject, _f_frame_data)
+                     + offsetof(_PyInterpreterFrame, localsplus);
     PyCodeObject *code = _PyFrame_GetCode(f->f_frame);
-    res += _PyFrame_NumSlotsForCodeObject(code) * sizeof(PyObject *);
-    return PyLong_FromSsize_t(res);
+    int nslots = _PyFrame_NumSlotsForCodeObject(code);
+    assert(nslots >= 0);
+    if ((size_t)nslots >= (PY_SSIZE_T_MAX - res) / sizeof(PyObject *)) {
+        // This could happen if the underlying code object has a
+        // very large stacksize (but at most INT_MAX) yet that the
+        // above offsets make the result overflow.
+        //
+        // This should normally only happen if PY_SSIZE_T_MAX == INT_MAX,
+        // but we anyway raise an exception on other systems for safety.
+        PyErr_SetString(PyExc_OverflowError, "size exceeds PY_SSIZE_T_MAX");
+        return NULL;
+    }
+    return PyLong_FromSsize_t(res + nslots * sizeof(PyObject *));
 }
 
 PyDoc_STRVAR(sizeof__doc__,

Original file line number	Diff line number	Diff line change
`@@ -436,7 +436,12 @@ _PyCode_Validate(struct _PyCodeConstructor *con)`
`436`	`436`	`PyErr_SetString(PyExc_ValueError, "code: co_varnames is too small");`
`437`	`437`	`return -1;`
`438`	`438`	`}`
`439`		`-`
	`439`	`+ /* Ensure that the framesize will not overflow */`
	`440`	`+ int nlocalsplus = (int)PyTuple_GET_SIZE(con->localsplusnames);`
	`441`	`+ if (con->stacksize >= INT_MAX - nlocalsplus - FRAME_SPECIALS_SIZE) {`
	`442`	`+ PyErr_SetString(PyExc_OverflowError, "code: co_stacksize is too large");`
	`443`	`+ return -1;`
	`444`	`+ }`
`440`	`445`	`return 0;`
`441`	`446`	`}`
`442`	`447`