From e47b73dd3cacdaa0220edba10bd2621189a4c7ea Mon Sep 17 00:00:00 2001 From: Rialbat Date: Fri, 6 Jun 2025 13:43:14 +0300 Subject: [PATCH 1/5] gh-135177: Raise OverflowError in _Py_call_instrumentation_jump to handle potential integer overflow --- Python/instrumentation.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Python/instrumentation.c b/Python/instrumentation.c index 13bdd041becd69..8229121f25ccae 100644 --- a/Python/instrumentation.c +++ b/Python/instrumentation.c @@ -1236,6 +1236,10 @@ _Py_call_instrumentation_jump( event == PY_MONITORING_EVENT_BRANCH_RIGHT || event == PY_MONITORING_EVENT_BRANCH_LEFT); int to = (int)(dest - _PyFrame_GetBytecode(frame)); + if (to <= INT_MAX / (int)sizeof(_Py_CODEUNIT)) { + PyErr_SetString(PyExc_OverflowError, "instruction offset is too large for int"); + return NULL; + } PyObject *to_obj = PyLong_FromLong(to * (int)sizeof(_Py_CODEUNIT)); if (to_obj == NULL) { return NULL; From d0b499e88dbed9cc81a10d58665c325c324b6d8c Mon Sep 17 00:00:00 2001 From: rialbat <47256826+rialbat@users.noreply.github.com> Date: Fri, 6 Jun 2025 13:58:11 +0300 Subject: [PATCH 2/5] gh-135177: Fix error description Co-authored-by: Peter Bierma --- Python/instrumentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Python/instrumentation.c b/Python/instrumentation.c index 8229121f25ccae..00d8fdee60b2c5 100644 --- a/Python/instrumentation.c +++ b/Python/instrumentation.c @@ -1237,7 +1237,7 @@ _Py_call_instrumentation_jump( event == PY_MONITORING_EVENT_BRANCH_LEFT); int to = (int)(dest - _PyFrame_GetBytecode(frame)); if (to <= INT_MAX / (int)sizeof(_Py_CODEUNIT)) { - PyErr_SetString(PyExc_OverflowError, "instruction offset is too large for int"); + PyErr_SetString(PyExc_OverflowError, "instruction offset cannot be converted to an integer"); return NULL; } PyObject *to_obj = PyLong_FromLong(to * (int)sizeof(_Py_CODEUNIT)); From 2eaf739fb944a260308d301ff13b03bec792c96e Mon Sep 17 00:00:00 2001 From: rialbat <47256826+rialbat@users.noreply.github.com> Date: Fri, 6 Jun 2025 14:21:41 +0300 Subject: [PATCH 3/5] gh-135177: Updated the error description Clarified that we are referring to the int type in C. Co-authored-by: Victor Stinner --- Python/instrumentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Python/instrumentation.c b/Python/instrumentation.c index 00d8fdee60b2c5..ef87f33ae912f6 100644 --- a/Python/instrumentation.c +++ b/Python/instrumentation.c @@ -1237,7 +1237,7 @@ _Py_call_instrumentation_jump( event == PY_MONITORING_EVENT_BRANCH_LEFT); int to = (int)(dest - _PyFrame_GetBytecode(frame)); if (to <= INT_MAX / (int)sizeof(_Py_CODEUNIT)) { - PyErr_SetString(PyExc_OverflowError, "instruction offset cannot be converted to an integer"); + PyErr_SetString(PyExc_OverflowError, "instruction offset cannot be converted to a C int"); return NULL; } PyObject *to_obj = PyLong_FromLong(to * (int)sizeof(_Py_CODEUNIT)); From 0d4cfd08c1abc2a63b20532674f1fa734e74a304 Mon Sep 17 00:00:00 2001 From: rialbat <47256826+rialbat@users.noreply.github.com> Date: Fri, 6 Jun 2025 14:41:58 +0300 Subject: [PATCH 4/5] gh-135177: Change `to` variable to a larger type to prevent potential overflow Co-authored-by: Victor Stinner --- Python/instrumentation.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Python/instrumentation.c b/Python/instrumentation.c index ef87f33ae912f6..b20c50ade47941 100644 --- a/Python/instrumentation.c +++ b/Python/instrumentation.c @@ -1235,12 +1235,9 @@ _Py_call_instrumentation_jump( assert(event == PY_MONITORING_EVENT_JUMP || event == PY_MONITORING_EVENT_BRANCH_RIGHT || event == PY_MONITORING_EVENT_BRANCH_LEFT); - int to = (int)(dest - _PyFrame_GetBytecode(frame)); - if (to <= INT_MAX / (int)sizeof(_Py_CODEUNIT)) { - PyErr_SetString(PyExc_OverflowError, "instruction offset cannot be converted to a C int"); - return NULL; - } - PyObject *to_obj = PyLong_FromLong(to * (int)sizeof(_Py_CODEUNIT)); + Py_ssize_t to = (dest - _PyFrame_GetBytecode(frame)); + assert(to <= PY_SSIZE_T_MAX / sizeof(_Py_CODEUNIT)); + PyObject *to_obj = PyLong_FromSsize_t(to * sizeof(_Py_CODEUNIT)); if (to_obj == NULL) { return NULL; } From c7e2e4147f1a8d5bf6b3b32d611b79bbfddddecd Mon Sep 17 00:00:00 2001 From: rialbat <47256826+rialbat@users.noreply.github.com> Date: Fri, 6 Jun 2025 14:54:41 +0300 Subject: [PATCH 5/5] gh-135177: Fix compiler warning by casting sizeof(_Py_CODEUNIT) to Py_ssize_t for type consistency in assert Co-authored-by: Victor Stinner --- Python/instrumentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Python/instrumentation.c b/Python/instrumentation.c index b20c50ade47941..494f6bb149e952 100644 --- a/Python/instrumentation.c +++ b/Python/instrumentation.c @@ -1236,7 +1236,7 @@ _Py_call_instrumentation_jump( event == PY_MONITORING_EVENT_BRANCH_RIGHT || event == PY_MONITORING_EVENT_BRANCH_LEFT); Py_ssize_t to = (dest - _PyFrame_GetBytecode(frame)); - assert(to <= PY_SSIZE_T_MAX / sizeof(_Py_CODEUNIT)); + assert(to <= PY_SSIZE_T_MAX / (Py_ssize_t)sizeof(_Py_CODEUNIT)); PyObject *to_obj = PyLong_FromSsize_t(to * sizeof(_Py_CODEUNIT)); if (to_obj == NULL) { return NULL;