python · picnixz · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/Lib/test/test_code.py b/Lib/test/test_code.py
@@ -523,6 +523,18 @@ def test_code_equal_with_instrumentation(self):
         self.assertNotEqual(code1, code2)
         sys.settrace(None)
 
+    def test_co_stacksize_overflow(self):
+        # See: https://github.com/python/cpython/issues/126119.
+
+        # Since co_framesize = nlocalsplus + co_stacksize + FRAME_SPECIALS_SIZE,
+        # we need to check that co_stacksize is not too large. We could fortify
+        # the test by explicitly checking that bound, but this needs to expose
+        # FRAME_SPECIALS_SIZE and a getter for 'nlocalsplus'.
+
+        c = (lambda: ...).__code__
+        with self.assertRaisesRegex(OverflowError, "co_stacksize"):
+            c.__replace__(co_stacksize=2147483647)
+
 
 def isinterned(s):
     return s is sys.intern(('_' + s + '_')[1:-1])

diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-10-29-11-47-19.gh-issue-126119.xbAvxt.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-10-29-11-47-19.gh-issue-126119.xbAvxt.rst
@@ -0,0 +1,4 @@
+Fix a crash in DEBUG builds due to an overflow when the :attr:`co_stacksize
+<codeobject.co_stacksize>` field of a :ref:`code object <code-objects>` is
+set to an absurdely large integer.
+Reported by Valery Fedorenko. Patch by Bénédikt Tran.
@@ -436,7 +436,12 @@ _PyCode_Validate(struct _PyCodeConstructor *con)
         PyErr_SetString(PyExc_ValueError, "code: co_varnames is too small");
         return -1;
     }
-
+    /* Ensure that the framesize will not overflow */
+    int nlocalsplus = (int)PyTuple_GET_SIZE(con->localsplusnames);
+    if (con->stacksize >= INT_MAX - nlocalsplus - FRAME_SPECIALS_SIZE) {
+        PyErr_SetString(PyExc_OverflowError, "code: co_stacksize is too large");
+        return -1;
+    }
     return 0;
 }
 

@@ -1804,11 +1804,22 @@ PyDoc_STRVAR(clear__doc__,
 static PyObject *
 frame_sizeof(PyFrameObject *f, PyObject *Py_UNUSED(ignored))
 {
-    Py_ssize_t res;
-    res = offsetof(PyFrameObject, _f_frame_data) + offsetof(_PyInterpreterFrame, localsplus);
+    Py_ssize_t res = offsetof(PyFrameObject, _f_frame_data)
+                     + offsetof(_PyInterpreterFrame, localsplus);
     PyCodeObject *code = _PyFrame_GetCode(f->f_frame);
-    res += _PyFrame_NumSlotsForCodeObject(code) * sizeof(PyObject *);
-    return PyLong_FromSsize_t(res);
+    int nslots = _PyFrame_NumSlotsForCodeObject(code);
+    assert(nslots >= 0);
+    if ((size_t)nslots >= (PY_SSIZE_T_MAX - res) / sizeof(PyObject *)) {
+        // This could happen if the underlying code object has a
+        // very large stacksize (but at most INT_MAX) yet that the
+        // above offsets make the result overflow.
+        //
+        // This should normally only happen if PY_SSIZE_T_MAX == INT_MAX,
+        // but we anyway raise an exception on other systems for safety.
+        PyErr_SetString(PyExc_OverflowError, "size exceeds PY_SSIZE_T_MAX");
+        return NULL;
+    }
+    return PyLong_FromSsize_t(res + nslots * sizeof(PyObject *));
 }
 
 PyDoc_STRVAR(sizeof__doc__,