Skip to content

Potential integer overflow in instrumentation.c #135177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rialbat opened this issue Jun 5, 2025 · 1 comment
Open

Potential integer overflow in instrumentation.c #135177

rialbat opened this issue Jun 5, 2025 · 1 comment
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error

Comments

@rialbat
Copy link
Contributor

rialbat commented Jun 5, 2025
edited by bedevere-app bot
Loading

The arithmetic expression to * (int)sizeof(_Py_CODEUNIT) can overflow if the number of instructions in a function exceeds MAX_INT / 2, as to represents the instruction offset and sizeof(_Py_CODEUNIT) is 2.

cpython/Python/instrumentation.c

Line 1239 in 4b44b34

PyObject *to_obj = PyLong_FromLong(to * (int)sizeof(_Py_CODEUNIT));

Linked PRs
rialbat added a commit to rialbat/cpython that referenced this issue Jun 5, 2025
@rialbat
pythongh-135177: Add assert to catch potential overflow
04b8775
@bedevere-app bedevere-app bot mentioned this issue Jun 5, 2025
Closed
@tomasr8 tomasr8 added the type-bug An unexpected behavior, bug, or error label Jun 6, 2025
rialbat added a commit to rialbat/cpython that referenced this issue Jun 6, 2025
@rialbat
pythongh-135177: Raise OverflowError in _Py_call_instrumentation_jump…
e47b73d 
… to handle potential integer overflow
@bedevere-app bedevere-app bot mentioned this issue Jun 6, 2025
Open
@ZeroIntensity ZeroIntensity added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Jun 6, 2025
rialbat added a commit to rialbat/cpython that referenced this issue Jun 6, 2025
@rialbat @ZeroIntensity
pythongh-135177: Fix error description
d0b499e 
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
rialbat added a commit to rialbat/cpython that referenced this issue Jun 6, 2025
@rialbat @vstinner
pythongh-135177: Updated the error description
2eaf739 
Clarified that we are referring to the int type in C.

Co-authored-by: Victor Stinner <vstinner@python.org>
rialbat added a commit to rialbat/cpython that referenced this issue Jun 6, 2025
@rialbat @vstinner
pythongh-135177: Change to variable to a larger type to prevent pot…
0d4cfd0 
…ential overflow

Co-authored-by: Victor Stinner <vstinner@python.org>
rialbat added a commit to rialbat/cpython that referenced this issue Jun 6, 2025
@rialbat @vstinner
pythongh-135177: Fix compiler warning by casting sizeof(_Py_CODEUNIT)…
c7e2e41 
… to Py_ssize_t for type consistency in assert

Co-authored-by: Victor Stinner <vstinner@python.org>
@markshannon
Copy link
Member

The number of instructions will not exceed MAX_INT / 2, the bytecode compiler ensures that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tomasr8 @markshannon @rialbat @ZeroIntensity