python · picnixz · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/Lib/test/test_code.py b/Lib/test/test_code.py
@@ -208,6 +208,12 @@
     import ctypes
 except ImportError:
     ctypes = None
+
+try:
+    import _testcapi
+except ImportError:
+    _testcapi = None
+
 from test.support import (cpython_only,
                           check_impl_detail, requires_debug_ranges,
                           gc_collect, Py_GIL_DISABLED)
@@ -595,6 +601,25 @@ def test_code_equal_with_instrumentation(self):
         self.assertNotEqual(code1, code2)
         sys.settrace(None)
 
+    @unittest.skipUnless(ctypes, "requires ctypes")
+    @unittest.skipUnless(_testcapi, "requires _testcapi")
+    def test_co_framesize_overflow(self):
+        # See: https://github.com/python/cpython/issues/126119.
+
+        def foo(a, b):
+            x = a * b
+            return x
+
+        c = foo.__code__
+
+        co_nlocalsplus = len({*c.co_varnames, *c.co_cellvars, *c.co_freevars})
+        # anything below that limit is a valid co_stacksize
+        evil_stacksize = int(_testcapi.INT_MAX / 16 - co_nlocalsplus)
+
+        with self.assertRaisesRegex(OverflowError, "stack size is too large"):
+            c.__replace__(co_stacksize=evil_stacksize)
+        c.__replace__(co_stacksize=evil_stacksize - 1)
+
 
 def isinterned(s):
     return s is sys.intern(('_' + s + '_')[1:-1])

diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-10-29-11-47-19.gh-issue-126119.xbAvxt.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-10-29-11-47-19.gh-issue-126119.xbAvxt.rst
@@ -0,0 +1,4 @@
+Fix a crash in DEBUG builds due to an overflow when the :attr:`co_stacksize
+<codeobject.co_stacksize>` field of a :ref:`code object <code-objects>` is
+set to an absurdly large integer.
+Reported by Valery Fedorenko. Patch by Bénédikt Tran.
@@ -454,7 +454,22 @@ _PyCode_Validate(struct _PyCodeConstructor *con)
         PyErr_SetString(PyExc_ValueError, "code: co_varnames is too small");
         return -1;
     }
-
+    /*
+     * Since framesize = stacksize + nlocalsplus + FRAME_SPECIALS_SIZE is used
+     * as framesize * sizeof(PyObject *) and assumed to be < INT_MAX in many
+     * other places, we need to limit stacksize + nlocalsplus in order to
+     * avoid overflows.
+     *
+     * See https://github.com/python/cpython/issues/126119 for details
+     * and corresponding PR for the rationale on the upper limit value.
+     */
+    Py_ssize_t limit = (Py_ssize_t)(INT_MAX / 16);
+    Py_ssize_t nlocalsplus = PyTuple_GET_SIZE(con->localsplusnames);
+    if (nlocalsplus >= limit || con->stacksize >= limit - nlocalsplus) {
+        PyErr_SetString(PyExc_OverflowError,
+                        "code: locals + stack size is too large");
+        return -1;
+    }
     return 0;
 }