[Python-Dev] PyArg_ParseTupe(): parse unsigned integer and check for overflow (original) (raw)

Nadeem Vawda nadeem.vawda at gmail.com
Sat Jun 29 17:16:46 CEST 2013

On Thu, Jun 27, 2013 at 12:07 AM, Victor Stinner <victor.stinner at gmail.com>wrote:

I would to parse an integer in [0; UINTMAX] to fix the zlib module on 64-bit system: http://bugs.python.org/issue18294

How should I implement that? Use "O" format and then use PyLongCheck(), PyLongAsLong(), and check value <= UINTMAX?

I ran into the same problem in the _lzma module. My solution was to define a custom converter that does an explicit check before returning the value (see http://hg.python.org/cpython/file/default/Modules/_lzmamodule.c#l134).

On Thu, Jun 27, 2013 at 12:26 AM, Guido van Rossum <guido at python.org> wrote:

> I would to parse an integer in [0; UINTMAX] to fix the zlib module on > 64-bit system: > http://bugs.python.org/issue18294 > > How should I implement that? Use "O" format and then use > PyLongCheck(), PyLongAsLong(), and check value <= UINTMAX?

Why can't you use the K format? It won't reject out-of-range values, but it will convert them to in-range so there aren't any attacks possible based on bypassing the range check. I'm probably misunderstanding something -- I don't completely understand that bug report. :-(

The point is not to protect against deliberate attacks, but rather to fail loudly (instead of silently) when the caller provides an input that the underlying C library cannot handle.

More information about the Python-Dev mailing list