Check other setitem methods

Author: aisk

Lib/test/test_array.py

@@ -1710,6 +1710,20 @@ def __index__(self):
             with self.assertRaises(IndexError):
                 victim[1] = ShrinkIndex()  # Original index 1 should now be out of bounds
 
+        def test_clear_array_float(victim):
+            """Test array clearing scenario using __float__ method"""
+            class EvilFloat:
+                def __float__(self):
+                    # Re-entrant mutation: clear the array while __setitem__
+                    # still holds a pointer to the pre-clear buffer.
+                    victim.clear()
+                    return 0.0
+
+            with self.assertRaises(IndexError):
+                victim[1] = EvilFloat()
+
+            self.assertEqual(len(victim), 0)
+
         # Test various array types
         test_clear_array(array.array('b', [0] * 64))
         test_shrink_array(array.array('b', [1, 2, 3]))
@@ -1719,8 +1733,13 @@ def __index__(self):
         test_clear_array(array.array('i', [1, 2, 3]))
         test_clear_array(array.array('l', [1, 2, 3]))
         test_clear_array(array.array('q', [1, 2, 3]))
-        test_clear_array(array.array('f', [1.0, 2.0, 3.0]))
-        test_clear_array(array.array('d', [1.0, 2.0, 3.0]))
+        test_clear_array(array.array('I', [1, 2, 3]))
+        test_clear_array(array.array('L', [1, 2, 3]))
+        test_clear_array(array.array('Q', [1, 2, 3]))
+
+        # Test float arrays with __float__ method
+        test_clear_array_float(array.array('f', [1.0, 2.0, 3.0]))
+        test_clear_array_float(array.array('d', [1.0, 2.0, 3.0]))
 
 
 if __name__ == "__main__":

Modules/arraymodule.c

@@ -479,6 +479,20 @@ II_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v)
         }
         return -1;
     }
+
+    /* Check buffer validity and bounds after potential user code calls
+     * (_PyNumber_Index and PyLong_AsUnsignedLong may modify the array buffer).
+     * See gh-142555.
+     */
+    if (i >= 0 && (ap->ob_item == NULL || i >= Py_SIZE(ap))) {
+        PyErr_SetString(PyExc_IndexError,
+            "array assignment index out of range");
+        if (do_decref) {
+            Py_DECREF(v);
+        }
+        return -1;
+    }
+
     if (i >= 0)
         ((unsigned int *)ap->ob_item)[i] = (unsigned int)x;
 
@@ -541,6 +555,20 @@ LL_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v)
         }
         return -1;
     }
+
+    /* Check buffer validity and bounds after potential user code calls
+     * (_PyNumber_Index and PyLong_AsUnsignedLong may modify the array buffer).
+     * See gh-142555.
+     */
+    if (i >= 0 && (ap->ob_item == NULL || i >= Py_SIZE(ap))) {
+        PyErr_SetString(PyExc_IndexError,
+            "array assignment index out of range");
+        if (do_decref) {
+            Py_DECREF(v);
+        }
+        return -1;
+    }
+
     if (i >= 0)
         ((unsigned long *)ap->ob_item)[i] = x;
 
@@ -604,6 +632,20 @@ QQ_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v)
         }
         return -1;
     }
+
+    /* Check buffer validity and bounds after potential user code calls
+     * (_PyNumber_Index and PyLong_AsUnsignedLongLong may modify the array buffer).
+     * See gh-142555.
+     */
+    if (i >= 0 && (ap->ob_item == NULL || i >= Py_SIZE(ap))) {
+        PyErr_SetString(PyExc_IndexError,
+            "array assignment index out of range");
+        if (do_decref) {
+            Py_DECREF(v);
+        }
+        return -1;
+    }
+
     if (i >= 0)
         ((unsigned long long *)ap->ob_item)[i] = x;