#13096: Fix segfault in CTypes POINTER handling of large values.

bitdancer · bitdancer · commit 05cfcc6f2c25 · 2014-10-12T14:26:30.000-04:00
Patch by Meador Inge.
diff --git a/Lib/ctypes/test/test_pointers.py b/Lib/ctypes/test/test_pointers.py
@@ -7,6 +7,8 @@
                  c_long, c_ulong, c_longlong, c_ulonglong, c_double, c_float]
 python_types = [int, int, int, int, int, long,
                 int, long, long, long, float, float]
+LargeNamedType = type('T' * 2 ** 25, (Structure,), {})
+large_string = 'T' * 2 ** 25
 
 class PointersTestCase(unittest.TestCase):
 
@@ -188,5 +190,11 @@ def test_pointers_bool(self):
             mth = WINFUNCTYPE(None)(42, "name", (), None)
             self.assertEqual(bool(mth), True)
 
+    def test_pointer_type_name(self):
+        self.assertTrue(POINTER(LargeNamedType))
+
+    def test_pointer_type_str_name(self):
+        self.assertTrue(POINTER(large_string))
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -37,6 +37,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #13096: Fixed segfault in CTypes POINTER handling of large
+  values.
+
 - Issue #11694: Raise ConversionError in xdrlib as documented.  Patch
   by Filip Gruszczyński and Claudiu Popa.
 
diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
@@ -1807,7 +1807,9 @@ POINTER(PyObject *self, PyObject *cls)
         return result;
     }
     if (PyString_CheckExact(cls)) {
-        buf = alloca(strlen(PyString_AS_STRING(cls)) + 3 + 1);
+        buf = PyMem_Malloc(strlen(PyString_AS_STRING(cls)) + 3 + 1);
+        if (buf == NULL)
+            return PyErr_NoMemory();
         sprintf(buf, "LP_%s", PyString_AS_STRING(cls));
         result = PyObject_CallFunction((PyObject *)Py_TYPE(&PyCPointer_Type),
                                        "s(O){}",
@@ -1818,13 +1820,16 @@ POINTER(PyObject *self, PyObject *cls)
         key = PyLong_FromVoidPtr(result);
     } else if (PyType_Check(cls)) {
         typ = (PyTypeObject *)cls;
-        buf = alloca(strlen(typ->tp_name) + 3 + 1);
+        buf = PyMem_Malloc(strlen(typ->tp_name) + 3 + 1);
+        if (buf == NULL)
+            return PyErr_NoMemory();
         sprintf(buf, "LP_%s", typ->tp_name);
         result = PyObject_CallFunction((PyObject *)Py_TYPE(&PyCPointer_Type),
                                        "s(O){sO}",
                                        buf,
                                        &PyCPointer_Type,
                                        "_type_", cls);
+        PyMem_Free(buf);
         if (result == NULL)
             return result;
         Py_INCREF(cls);
