changeset:   72466:5e456e1a9e8c
user:        Mark Dickinson <mdickinson@enthought.com>
date:        Sat Sep 24 19:11:53 2011 +0100
files:       Objects/stringlib/formatter.h
description:
Issue #1621: Fix undefined behaviour from signed overflow in get_integer (stringlib/formatter.h)


diff -r 95ee0df1e746 -r 5e456e1a9e8c Objects/stringlib/formatter.h
--- a/Objects/stringlib/formatter.h	Sat Sep 24 20:04:29 2011 +0200
+++ b/Objects/stringlib/formatter.h	Sat Sep 24 19:11:53 2011 +0100
@@ -73,7 +73,7 @@
 get_integer(STRINGLIB_CHAR **ptr, STRINGLIB_CHAR *end,
                   Py_ssize_t *result)
 {
-    Py_ssize_t accumulator, digitval, oldaccumulator;
+    Py_ssize_t accumulator, digitval;
     int numdigits;
     accumulator = numdigits = 0;
     for (;;(*ptr)++, numdigits++) {
@@ -83,19 +83,17 @@
         if (digitval < 0)
             break;
         /*
-           This trick was copied from old Unicode format code.  It's cute,
-           but would really suck on an old machine with a slow divide
-           implementation.  Fortunately, in the normal case we do not
-           expect too many digits.
+           Detect possible overflow before it happens:
+
+              accumulator * 10 + digitval > PY_SSIZE_T_MAX if and only if
+              accumulator > (PY_SSIZE_T_MAX - digitval) / 10.
         */
-        oldaccumulator = accumulator;
-        accumulator *= 10;
-        if ((accumulator+10)/10 != oldaccumulator+1) {
+        if (accumulator > (PY_SSIZE_T_MAX - digitval) / 10) {
             PyErr_Format(PyExc_ValueError,
                          "Too many decimal digits in format string");
             return -1;
         }
-        accumulator += digitval;
+        accumulator = accumulator * 10 + digitval;
     }
     *result = accumulator;
     return numdigits;