gh-152275: Add integer overflow guards to the curses chtype and color-pair packing path#152303
Merged
serhiy-storchaka merged 5 commits intoJun 27, 2026
Merged
Conversation
… color-pair packing path curses.color_pair() now raises OverflowError for a pair number too large to be packed, instead of silently masking it to a different pair. The attr argument of the character-cell and attribute methods (addch, addstr, attron, attrset and others) now goes through the checked attr converter, so an out-of-range or non-integer attribute is rejected rather than silently truncated. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vstinner
approved these changes
Jun 26, 2026
vstinner
left a comment
vstinner
left a comment
Member
There was a problem hiding this comment.
LGTM. Replacing attr: long with attr: attr in Argument Clinic input is simple and reuse attr_converter(). The added tests check for the changed behavior and are enough.
# Conflicts: # Modules/clinic/_cursesmodule.c.h
Documentation build overview
15 files changed ·
|
For methods where attr is an optional argument (addch(), addstr(), insch(), ...) the attr converter left the attr_t variable uninitialized when the argument was omitted, so a garbage value could be applied as character attributes. Give the converter c_ignored_default, as the builtin numeric converters have, so the option-group variable is initialized to zero. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
serhiy-storchaka
force-pushed
the
curses-chtype-overflow
branch
from
ccdf6a4 to
e886f93
Compare
# Conflicts: # Modules/clinic/_cursesmodule.c.h
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some
cursesmethods silently truncate a color pair or attributes that do not fit in achtype, turning a range error into a wrong-rendering bug instead of an exception.curses.color_pair(n)now raisesOverflowErrorfor a pair number too large to be packed, instead of silently masking it to a different pair (the cause of gh-119138). The check verifies that the value round-trips throughCOLOR_PAIR()/PAIR_NUMBER(), relying only on those macros being inverses, so it is portable and makes no assumption about how the pair is packed.The
attrargument of the character-cell and attribute methods (addch,addstr,addnstr,insch,insstr,insnstr,bkgd,bkgdset,echochar,hline,vline,box,border,attron,attroffandattrset) now goes through the checkedattrconverter, so an out-of-range or non-integer attribute raisesOverflowError/TypeErrorinstead of being silently truncated. This matches the existingpair_converter,component_converter,attr_converterandcurses_setcchar, which already reject out-of-range values.