Possible overflow in typeobject.c:tail_contains

[federicovalenso]

Bug report

Bug description:

whence+1 could lead to overflow for large value of whence. I think changing type from int to Py_ssize_t could fix the problem (remain is input parameter):

static int
pmerge(PyObject *acc, PyObject **to_merge, Py_ssize_t to_merge_size)
{
...
    remain = PyMem_New(Py_ssize_t, to_merge_size);

CPython versions tested on:

3.11

Operating systems tested on:

Linux

Linked PRs

• gh-126862: Use Py_ssize_t instead of int when processing the number of super-classes  #127523
• [3.13] gh-126862: Use Py_ssize_t instead of int when processing the number of super-classes (GH-127523) #128699
• [3.12] gh-126862: Use Py_ssize_t instead of int when processing the number of super-classes (GH-127523) #128700

[picnixz]

This one is used in

        candidate = PyTuple_GET_ITEM(cur_tuple, remain[i]);
        for (j = 0; j < to_merge_size; j++) {
            PyObject *j_lst = to_merge[j];
            if (tail_contains(j_lst, remain[j], candidate))
                goto skip; /* continue outer loop */
        }

and for the MRO resolution. Unless we have a VERY huge list of parent classes, I don't think we would hit the overflow.

[picnixz]

cc @JelleZijlstra

[federicovalenso]

@picnixz , should I try to overflow inheritance list? :) Or is there already protection against this?

[picnixz]

Yes, if you can make it happen! (I don't know whether there's a protection)

[JelleZijlstra]

For this to trigger you'd need a class with over 2**32 base classes, right? I currently have a Python terminal open where I'm trying to generate 2**32 classes to test this, and it's been running for more than half an hour already. It's probably OK to change int to Py_ssize_t here for cleanliness, but let's not add a unit test that attempts to trigger this condition.