From 2b6758f55e3b0a4141a54f3c35a0d0cd377ce3cf Mon Sep 17 00:00:00 2001

From: "Gregory P. Smith" <greg@krypto.org>

Date: Mon, 5 Sep 2022 02:21:03 -0700

Subject: [PATCH] gh-95778: CVE-2020-10735: Prevent DoS by very large int()

 (#96502)

* Correctly pre-check for int-to-str conversion (#96537)

Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)

The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.

The justification for the current check. The C code check is:

```c

max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10

```

In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:

$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$

From this it follows that

$$\frac{M}{3L} < \frac{s-1}{10}$$

hence that

$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$

So

$$2^{L(s-1)} > 10^M.$$

But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.

* Issue: gh-95778

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>

Co-authored-by: Christian Heimes <christian@python.org>

Co-authored-by: Mark Dickinson <dickinsm@gmail.com>

---

 Doc/data/python3.9.abi                        |   5 +-

 Doc/library/functions.rst                     |   8 +

 Doc/library/json.rst                          |  11 +

 Doc/library/stdtypes.rst                      | 159 ++++++++++++++

 Doc/library/sys.rst                           |  59 ++++--

 Doc/library/test.rst                          |  10 +

 Doc/using/cmdline.rst                         |  13 ++

 Doc/whatsnew/3.9.rst                          |  14 ++

 Include/internal/pycore_initconfig.h          |   2 +

 Include/internal/pycore_interp.h              |   2 +

 Include/internal/pycore_long.h                |  49 +++++

 Lib/test/support/__init__.py                  |  11 +

 Lib/test/test_ast.py                          |   8 +

 Lib/test/test_cmd_line.py                     |  33 +++

 Lib/test/test_compile.py                      |  13 ++

 Lib/test/test_decimal.py                      |  18 ++

 Lib/test/test_int.py                          | 196 ++++++++++++++++++

 Lib/test/test_json/test_decode.py             |   9 +

 Lib/test/test_sys.py                          |  11 +-

 Lib/test/test_xmlrpc.py                       |  10 +

 Makefile.pre.in                               |   1 +

 ...08-07-16-53-38.gh-issue-95778.ch010gps.rst |  14 ++

 Objects/longobject.c                          |  65 +++++-

 Parser/pegen/pegen.c                          |  18 ++

 Python/clinic/sysmodule.c.h                   |  60 +++++-

 Python/initconfig.c                           |  60 ++++++

 Python/sysmodule.c                            |  46 +++-

 27 files changed, 886 insertions(+), 19 deletions(-)

 create mode 100644 Include/internal/pycore_long.h

 create mode 100644 Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst

diff --git a/Doc/data/python3.9.abi b/Doc/data/python3.9.abi

index e203743..cca9779 100644

--- a/Doc/data/python3.9.abi

+++ b/Doc/data/python3.9.abi

@@ -5653,7 +5653,7 @@

         <var-decl name='id' type-id='type-id-238' visibility='default' filepath='./Include/cpython/pystate.h' line='137' column='1'/>

       </data-member>

     </class-decl>

-    <class-decl name='_is' size-in-bits='45184' is-struct='yes' visibility='default' filepath='./Include/internal/pycore_interp.h' line='71' column='1' id='type-id-313'>

+    <class-decl name='_is' size-in-bits='45248' is-struct='yes' visibility='default' filepath='./Include/internal/pycore_interp.h' line='71' column='1' id='type-id-313'>

       <data-member access='public' layout-offset-in-bits='0'>

         <var-decl name='next' type-id='type-id-314' visibility='default' filepath='./Include/internal/pycore_interp.h' line='73' column='1'/>

       </data-member>

@@ -5774,6 +5774,9 @@

       <data-member access='public' layout-offset-in-bits='28416'>

         <var-decl name='small_ints' type-id='type-id-326' visibility='default' filepath='./Include/internal/pycore_interp.h' line='155' column='1'/>

       </data-member>

+      <data-member access='public' layout-offset-in-bits='45184'>

+        <var-decl name='int_max_str_digits' type-id='type-id-8' visibility='default' filepath='./Include/internal/pycore_interp.h' line='158' column='1'/>

+      </data-member>

     </class-decl>

     <pointer-type-def type-id='type-id-313' size-in-bits='64' id='type-id-314'/>

     <class-decl name='pyruntimestate' size-in-bits='5248' is-struct='yes' visibility='default' filepath='./Include/internal/pycore_runtime.h' line='52' column='1' id='type-id-327'>

diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst

index 8df557e..820b313 100644

--- a/Doc/library/functions.rst

+++ b/Doc/library/functions.rst

@@ -844,6 +844,14 @@ are always available.  They are listed here in alphabetical order.

    .. versionchanged:: 3.8

       Falls back to :meth:`__index__` if :meth:`__int__` is not defined.

+   .. versionchanged:: 3.9.14

+      :class:`int` string inputs and string representations can be limited to

+      help avoid denial of service attacks. A :exc:`ValueError` is raised when

+      the limit is exceeded while converting a string *x* to an :class:`int` or

+      when converting an :class:`int` into a string would exceed the limit.

+      See the :ref:`integer string conversion length limitation

+      <int_max_str_digits>` documentation.

+

 .. function:: isinstance(object, classinfo)

diff --git a/Doc/library/json.rst b/Doc/library/json.rst

index 1810e04..6b715b5 100644

--- a/Doc/library/json.rst

+++ b/Doc/library/json.rst

@@ -18,6 +18,11 @@ is a lightweight data interchange format inspired by

 `JavaScript <https://en.wikipedia.org/wiki/JavaScript>`_ object literal syntax

 (although it is not a strict subset of JavaScript [#rfc-errata]_ ).

+.. warning::

+   Be cautious when parsing JSON data from untrusted sources. A malicious

+   JSON string may cause the decoder to consume considerable CPU and memory

+   resources. Limiting the size of data to be parsed is recommended.

+

 :mod:`json` exposes an API familiar to users of the standard library

 :mod:`marshal` and :mod:`pickle` modules.

@@ -255,6 +260,12 @@ Basic Usage

    be used to use another datatype or parser for JSON integers

    (e.g. :class:`float`).

+   .. versionchanged:: 3.9.14

+      The default *parse_int* of :func:`int` now limits the maximum length of

+      the integer string via the interpreter's :ref:`integer string

+      conversion length limitation <int_max_str_digits>` to help avoid denial

+      of service attacks.

+

    *parse_constant*, if specified, will be called with one of the following

    strings: ``'-Infinity'``, ``'Infinity'``, ``'NaN'``.

    This can be used to raise an exception if invalid JSON numbers

diff --git a/Doc/library/stdtypes.rst b/Doc/library/stdtypes.rst

index bfa0e74..f88e81f 100644

--- a/Doc/library/stdtypes.rst

+++ b/Doc/library/stdtypes.rst

@@ -5206,6 +5206,165 @@ types, where they are relevant.  Some of these are not reported by the

       [<class 'bool'>]

+.. _int_max_str_digits:

+

+Integer string conversion length limitation

+===========================================

+

+CPython has a global limit for converting between :class:`int` and :class:`str`

+to mitigate denial of service attacks. This limit *only* applies to decimal or

+other non-power-of-two number bases. Hexadecimal, octal, and binary conversions

+are unlimited. The limit can be configured.

+

+The :class:`int` type in CPython is an abitrary length number stored in binary

+form (commonly known as a "bignum"). There exists no algorithm that can convert

+a string to a binary integer or a binary integer to a string in linear time,

+*unless* the base is a power of 2. Even the best known algorithms for base 10

+have sub-quadratic complexity. Converting a large value such as ``int('1' *

+500_000)`` can take over a second on a fast CPU.

+

+Limiting conversion size offers a practical way to avoid `CVE-2020-10735

+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.

+

+The limit is applied to the number of digit characters in the input or output

+string when a non-linear conversion algorithm would be involved.  Underscores

+and the sign are not counted towards the limit.

+

+When an operation would exceed the limit, a :exc:`ValueError` is raised:

+

+.. doctest::

+

+   >>> import sys

+   >>> sys.set_int_max_str_digits(4300)  # Illustrative, this is the default.

+   >>> _ = int('2' * 5432)

+   Traceback (most recent call last):

+   ...

+   ValueError: Exceeds the limit (4300) for integer string conversion: value has 5432 digits.

+   >>> i = int('2' * 4300)

+   >>> len(str(i))

+   4300

+   >>> i_squared = i*i

+   >>> len(str(i_squared))

+   Traceback (most recent call last):

+   ...

+   ValueError: Exceeds the limit (4300) for integer string conversion: value has 8599 digits.

+   >>> len(hex(i_squared))

+   7144

+   >>> assert int(hex(i_squared), base=16) == i*i  # Hexadecimal is unlimited.

+

+The default limit is 4300 digits as provided in

+:data:`sys.int_info.default_max_str_digits <sys.int_info>`.

+The lowest limit that can be configured is 640 digits as provided in

+:data:`sys.int_info.str_digits_check_threshold <sys.int_info>`.

+

+Verification:

+

+.. doctest::

+

+   >>> import sys

+   >>> assert sys.int_info.default_max_str_digits == 4300, sys.int_info

+   >>> assert sys.int_info.str_digits_check_threshold == 640, sys.int_info

+   >>> msg = int('578966293710682886880994035146873798396722250538762761564'

+   ...           '9252925514383915483333812743580549779436104706260696366600'

+   ...           '571186405732').to_bytes(53, 'big')

+   ...

+

+.. versionadded:: 3.9.14

+

+Affected APIs

+-------------

+

+The limitation only applies to potentially slow conversions between :class:`int`

+and :class:`str` or :class:`bytes`:

+

+* ``int(string)`` with default base 10.

+* ``int(string, base)`` for all bases that are not a power of 2.

+* ``str(integer)``.

+* ``repr(integer)``

+* any other string conversion to base 10, for example ``f"{integer}"``,

+  ``"{}".format(integer)``, or ``b"%d" % integer``.

+

+The limitations do not apply to functions with a linear algorithm:

+

+* ``int(string, base)`` with base 2, 4, 8, 16, or 32.

+* :func:`int.from_bytes` and :func:`int.to_bytes`.

+* :func:`hex`, :func:`oct`, :func:`bin`.

+* :ref:`formatspec` for hex, octal, and binary numbers.

+* :class:`str` to :class:`float`.

+* :class:`str` to :class:`decimal.Decimal`.

+

+Configuring the limit

+---------------------

+

+Before Python starts up you can use an environment variable or an interpreter

+command line flag to configure the limit:

+

+* :envvar:`PYTHONINTMAXSTRDIGITS`, e.g.

+  ``PYTHONINTMAXSTRDIGITS=640 python3`` to set the limit to 640 or

+  ``PYTHONINTMAXSTRDIGITS=0 python3`` to disable the limitation.

+* :option:`-X int_max_str_digits <-X>`, e.g.

+  ``python3 -X int_max_str_digits=640``

+* :data:`sys.flags.int_max_str_digits` contains the value of

+  :envvar:`PYTHONINTMAXSTRDIGITS` or :option:`-X int_max_str_digits <-X>`.

+  If both the env var and the ``-X`` option are set, the ``-X`` option takes

+  precedence. A value of *-1* indicates that both were unset, thus a value of

+  :data:`sys.int_info.default_max_str_digits` was used during initilization.

+

+From code, you can inspect the current limit and set a new one using these

+:mod:`sys` APIs:

+

+* :func:`sys.get_int_max_str_digits` and :func:`sys.set_int_max_str_digits` are

+  a getter and setter for the interpreter-wide limit. Subinterpreters have

+  their own limit.

+

+Information about the default and minimum can be found in :attr:`sys.int_info`:

+

+* :data:`sys.int_info.default_max_str_digits <sys.int_info>` is the compiled-in

+  default limit.

+* :data:`sys.int_info.str_digits_check_threshold <sys.int_info>` is the lowest

+  accepted value for the limit (other than 0 which disables it).

+

+.. versionadded:: 3.9.14

+

+.. caution::

+

+   Setting a low limit *can* lead to problems. While rare, code exists that

+   contains integer constants in decimal in their source that exceed the

+   minimum threshold. A consequence of setting the limit is that Python source

+   code containing decimal integer literals longer than the limit will

+   encounter an error during parsing, usually at startup time or import time or

+   even at installation time - anytime an up to date ``.pyc`` does not already

+   exist for the code. A workaround for source that contains such large

+   constants is to convert them to ``0x`` hexadecimal form as it has no limit.

+

+   Test your application thoroughly if you use a low limit. Ensure your tests

+   run with the limit set early via the environment or flag so that it applies

+   during startup and even during any installation step that may invoke Python

+   to precompile ``.py`` sources to ``.pyc`` files.

+

+Recommended configuration

+-------------------------

+

+The default :data:`sys.int_info.default_max_str_digits` is expected to be

+reasonable for most applications. If your application requires a different

+limit, set it from your main entry point using Python version agnostic code as

+these APIs were added in security patch releases in versions before 3.11.

+

+Example::

+

+   >>> import sys

+   >>> if hasattr(sys, "set_int_max_str_digits"):

+   ...     upper_bound = 68000

+   ...     lower_bound = 4004

+   ...     current_limit = sys.get_int_max_str_digits()

+   ...     if current_limit == 0 or current_limit > upper_bound:

+   ...         sys.set_int_max_str_digits(upper_bound)

+   ...     elif current_limit < lower_bound:

+   ...         sys.set_int_max_str_digits(lower_bound)

+

+If you need to disable it entirely, set it to ``0``.

+

+

 .. rubric:: Footnotes

 .. [1] Additional information on these special methods may be found in the Python

diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst

index 9e18282..9b98bc5 100644

--- a/Doc/library/sys.rst

+++ b/Doc/library/sys.rst

@@ -445,9 +445,9 @@ always available.

    The :term:`named tuple` *flags* exposes the status of command line

    flags. The attributes are read only.

-   ============================= ================================================================

+   ============================= ==============================================================================================================

    attribute                     flag

-   ============================= ================================================================

+   ============================= ==============================================================================================================

    :const:`debug`                :option:`-d`

    :const:`inspect`              :option:`-i`

    :const:`interactive`          :option:`-i`

@@ -463,7 +463,8 @@ always available.

    :const:`hash_randomization`   :option:`-R`

    :const:`dev_mode`             :option:`-X dev <-X>` (:ref:`Python Development Mode <devmode>`)

    :const:`utf8_mode`            :option:`-X utf8 <-X>`

-   ============================= ================================================================

+   :const:`int_max_str_digits`   :option:`-X int_max_str_digits <-X>` (:ref:`integer string conversion length limitation <int_max_str_digits>`)

+   ============================= ==============================================================================================================

    .. versionchanged:: 3.2

       Added ``quiet`` attribute for the new :option:`-q` flag.

@@ -482,6 +483,9 @@ always available.

       Mode <devmode>` and the ``utf8_mode`` attribute for the new  :option:`-X`

       ``utf8`` flag.

+   .. versionchanged:: 3.9.14

+      Added the ``int_max_str_digits`` attribute.

+

 .. data:: float_info

@@ -660,6 +664,15 @@ always available.

    .. versionadded:: 3.6

+

+.. function:: get_int_max_str_digits()

+

+   Returns the current value for the :ref:`integer string conversion length

+   limitation <int_max_str_digits>`. See also :func:`set_int_max_str_digits`.

+

+   .. versionadded:: 3.9.14

+

+

 .. function:: getrefcount(object)

    Return the reference count of the *object*.  The count returned is generally one

@@ -933,19 +946,31 @@ always available.

    .. tabularcolumns:: |l|L|

-   +-------------------------+----------------------------------------------+

-   | Attribute               | Explanation                                  |

-   +=========================+==============================================+

-   | :const:`bits_per_digit` | number of bits held in each digit.  Python   |

-   |                         | integers are stored internally in base       |

-   |                         | ``2**int_info.bits_per_digit``               |

-   +-------------------------+----------------------------------------------+

-   | :const:`sizeof_digit`   | size in bytes of the C type used to          |

-   |                         | represent a digit                            |

-   +-------------------------+----------------------------------------------+

+   +----------------------------------------+-----------------------------------------------+

+   | Attribute                              | Explanation                                   |

+   +========================================+===============================================+

+   | :const:`bits_per_digit`                | number of bits held in each digit.  Python    |

+   |                                        | integers are stored internally in base        |

+   |                                        | ``2**int_info.bits_per_digit``                |

+   +----------------------------------------+-----------------------------------------------+

+   | :const:`sizeof_digit`                  | size in bytes of the C type used to           |

+   |                                        | represent a digit                             |

+   +----------------------------------------+-----------------------------------------------+

+   | :const:`default_max_str_digits`        | default value for                             |

+   |                                        | :func:`sys.get_int_max_str_digits` when it    |

+   |                                        | is not otherwise explicitly configured.       |

+   +----------------------------------------+-----------------------------------------------+

+   | :const:`str_digits_check_threshold`    | minimum non-zero value for                    |

+   |                                        | :func:`sys.set_int_max_str_digits`,           |

+   |                                        | :envvar:`PYTHONINTMAXSTRDIGITS`, or           |

+   |                                        | :option:`-X int_max_str_digits <-X>`.         |

+   +----------------------------------------+-----------------------------------------------+

    .. versionadded:: 3.1

+   .. versionchanged:: 3.9.14

+      Added ``default_max_str_digits`` and ``str_digits_check_threshold``.

+

 .. data:: __interactivehook__

@@ -1223,6 +1248,14 @@ always available.

    .. availability:: Unix.

+.. function:: set_int_max_str_digits(n)

+

+   Set the :ref:`integer string conversion length limitation

+   <int_max_str_digits>` used by this interpreter. See also

+   :func:`get_int_max_str_digits`.

+

+   .. versionadded:: 3.9.14

+

 .. function:: setprofile(profilefunc)

    .. index::

diff --git a/Doc/library/test.rst b/Doc/library/test.rst

index 16f908c..563197f 100644

--- a/Doc/library/test.rst

+++ b/Doc/library/test.rst

@@ -1302,6 +1302,16 @@ The :mod:`test.support` module defines the following functions:

    .. versionadded:: 3.6

+.. function:: adjust_int_max_str_digits(max_digits)

+

+   This function returns a context manager that will change the global

+   :func:`sys.set_int_max_str_digits` setting for the duration of the

+   context to allow execution of test code that needs a different limit

+   on the number of digits when converting between an integer and string.

+

+   .. versionadded:: 3.9.14

+

+

 The :mod:`test.support` module defines the following classes:

 .. class:: TransientResource(exc, **kwargs)

diff --git a/Doc/using/cmdline.rst b/Doc/using/cmdline.rst

index 5739388..66d8d57 100644

--- a/Doc/using/cmdline.rst

+++ b/Doc/using/cmdline.rst

@@ -436,6 +436,9 @@ Miscellaneous options

      stored in a traceback of a trace. Use ``-X tracemalloc=NFRAME`` to start

      tracing with a traceback limit of *NFRAME* frames. See the

      :func:`tracemalloc.start` for more information.

+   * ``-X int_max_str_digits`` configures the :ref:`integer string conversion

+     length limitation <int_max_str_digits>`.  See also

+     :envvar:`PYTHONINTMAXSTRDIGITS`.

    * ``-X importtime`` to show how long each import takes. It shows module

      name, cumulative time (including nested imports) and self time (excluding

      nested imports).  Note that its output may be broken in multi-threaded

@@ -480,6 +483,9 @@ Miscellaneous options

       The ``-X showalloccount`` option has been removed.

+   .. versionadded:: 3.9.14

+      The ``-X int_max_str_digits`` option.

+

    .. deprecated-removed:: 3.9 3.10

       The ``-X oldparser`` option.

@@ -659,6 +665,13 @@ conflict.

    .. versionadded:: 3.2.3

+.. envvar:: PYTHONINTMAXSTRDIGITS

+

+   If this variable is set to an integer, it is used to configure the

+   interpreter's global :ref:`integer string conversion length limitation

+   <int_max_str_digits>`.

+

+   .. versionadded:: 3.9.14

 .. envvar:: PYTHONIOENCODING

diff --git a/Doc/whatsnew/3.9.rst b/Doc/whatsnew/3.9.rst

index 0662adb..2270d3e 100644

--- a/Doc/whatsnew/3.9.rst

+++ b/Doc/whatsnew/3.9.rst

@@ -1570,3 +1570,17 @@ URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal

 characters are controlled by a new module level variable

 ``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)

+Notable security feature in 3.9.14

+==================================

+

+Converting between :class:`int` and :class:`str` in bases other than 2

+(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)

+now raises a :exc:`ValueError` if the number of digits in string form is

+above a limit to avoid potential denial of service attacks due to the

+algorithmic complexity. This is a mitigation for `CVE-2020-10735

+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.

+This limit can be configured or disabled by environment variable, command

+line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion

+length limitation <int_max_str_digits>` documentation.  The default limit

+is 4300 digits in string form.

+

diff --git a/Include/internal/pycore_initconfig.h b/Include/internal/pycore_initconfig.h

index 457a005..ad1b7e5 100644

--- a/Include/internal/pycore_initconfig.h

+++ b/Include/internal/pycore_initconfig.h

@@ -156,6 +156,8 @@ extern PyStatus _PyConfig_SetPyArgv(

     PyConfig *config,

     const _PyArgv *args);

+extern int _Py_global_config_int_max_str_digits;

+

 /* --- Function used for testing ---------------------------------- */

diff --git a/Include/internal/pycore_interp.h b/Include/internal/pycore_interp.h

index 551ad83..304d704 100644

--- a/Include/internal/pycore_interp.h

+++ b/Include/internal/pycore_interp.h

@@ -154,6 +154,8 @@ struct _is {

     */

     PyLongObject* small_ints[_PY_NSMALLNEGINTS + _PY_NSMALLPOSINTS];

 #endif

+

+    int int_max_str_digits;

 };

 /* Used by _PyImport_Cleanup() */

diff --git a/Include/internal/pycore_long.h b/Include/internal/pycore_long.h

new file mode 100644

index 0000000..ae04332

--- /dev/null

+++ b/Include/internal/pycore_long.h

@@ -0,0 +1,49 @@

+#ifndef Py_INTERNAL_LONG_H

+#define Py_INTERNAL_LONG_H

+#ifdef __cplusplus

+extern "C" {

+#endif

+

+#ifndef Py_BUILD_CORE

+#  error "this header requires Py_BUILD_CORE define"

+#endif

+

+/*

+ * Default int base conversion size limitation: Denial of Service prevention.

+ *

+ * Chosen such that this isn't wildly slow on modern hardware and so that

+ * everyone's existing deployed numpy test suite passes before

+ * https://github.com/numpy/numpy/issues/22098 is widely available.

+ *

+ * $ python -m timeit -s 's = "1"*4300' 'int(s)'

+ * 2000 loops, best of 5: 125 usec per loop

+ * $ python -m timeit -s 's = "1"*4300; v = int(s)' 'str(v)'

+ * 1000 loops, best of 5: 311 usec per loop

+ * (zen2 cloud VM)

+ *

+ * 4300 decimal digits fits a ~14284 bit number.

+ */

+#define _PY_LONG_DEFAULT_MAX_STR_DIGITS 4300

+/*

+ * Threshold for max digits check.  For performance reasons int() and

+ * int.__str__() don't checks values that are smaller than this

+ * threshold.  Acts as a guaranteed minimum size limit for bignums that

+ * applications can expect from CPython.

+ *

+ * % python -m timeit -s 's = "1"*640; v = int(s)' 'str(int(s))'

+ * 20000 loops, best of 5: 12 usec per loop

+ *

+ * "640 digits should be enough for anyone." - gps

+ * fits a ~2126 bit decimal number.

+ */

+#define _PY_LONG_MAX_STR_DIGITS_THRESHOLD 640

+

+#if ((_PY_LONG_DEFAULT_MAX_STR_DIGITS != 0) && \

+   (_PY_LONG_DEFAULT_MAX_STR_DIGITS < _PY_LONG_MAX_STR_DIGITS_THRESHOLD))

+# error "_PY_LONG_DEFAULT_MAX_STR_DIGITS smaller than threshold."

+#endif

+

+#ifdef __cplusplus

+}

+#endif

+#endif /* !Py_INTERNAL_LONG_H */

diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py

index 11818ac..e5d6e2b 100644

--- a/Lib/test/support/__init__.py

+++ b/Lib/test/support/__init__.py

@@ -3251,6 +3251,17 @@ def clear_ignored_deprecations(*tokens: object) -> None:

         warnings._filters_mutated()

+@contextlib.contextmanager

+def adjust_int_max_str_digits(max_digits):

+    """Temporarily change the integer string conversion length limit."""

+    current = sys.get_int_max_str_digits()

+    try:

+        sys.set_int_max_str_digits(max_digits)

+        yield

+    finally:

+        sys.set_int_max_str_digits(current)

+

+

 def fails_in_fips_mode(expected_error):

     import _hashlib

     if _hashlib.get_fips_mode():

diff --git a/Lib/test/test_ast.py b/Lib/test/test_ast.py

index c3e3be6..a048d38 100644

--- a/Lib/test/test_ast.py

+++ b/Lib/test/test_ast.py

@@ -978,6 +978,14 @@ Module(

         self.assertRaises(ValueError, ast.literal_eval, '+True')

         self.assertRaises(ValueError, ast.literal_eval, '2+3')

+    def test_literal_eval_str_int_limit(self):

+        with support.adjust_int_max_str_digits(4000):

+            ast.literal_eval('3'*4000)  # no error

+            with self.assertRaises(SyntaxError) as err_ctx:

+                ast.literal_eval('3'*4001)

+            self.assertIn('Exceeds the limit ', str(err_ctx.exception))

+            self.assertIn(' Consider hexadecimal ', str(err_ctx.exception))

+

     def test_literal_eval_complex(self):

         # Issue #4907

         self.assertEqual(ast.literal_eval('6j'), 6j)

diff --git a/Lib/test/test_cmd_line.py b/Lib/test/test_cmd_line.py

index 712d861..7ad9263 100644

--- a/Lib/test/test_cmd_line.py

+++ b/Lib/test/test_cmd_line.py

@@ -804,6 +804,39 @@ class CmdLineTest(unittest.TestCase):

         self.assertTrue(proc.stderr.startswith(err_msg), proc.stderr)

         self.assertNotEqual(proc.returncode, 0)

+    def test_int_max_str_digits(self):

+        code = "import sys; print(sys.flags.int_max_str_digits, sys.get_int_max_str_digits())"

+

+        assert_python_failure('-X', 'int_max_str_digits', '-c', code)

+        assert_python_failure('-X', 'int_max_str_digits=foo', '-c', code)

+        assert_python_failure('-X', 'int_max_str_digits=100', '-c', code)

+

+        assert_python_failure('-c', code, PYTHONINTMAXSTRDIGITS='foo')

+        assert_python_failure('-c', code, PYTHONINTMAXSTRDIGITS='100')

+

+        def res2int(res):

+            out = res.out.strip().decode("utf-8")

+            return tuple(int(i) for i in out.split())

+

+        res = assert_python_ok('-c', code)

+        self.assertEqual(res2int(res), (-1, sys.get_int_max_str_digits()))

+        res = assert_python_ok('-X', 'int_max_str_digits=0', '-c', code)

+        self.assertEqual(res2int(res), (0, 0))

+        res = assert_python_ok('-X', 'int_max_str_digits=4000', '-c', code)

+        self.assertEqual(res2int(res), (4000, 4000))

+        res = assert_python_ok('-X', 'int_max_str_digits=100000', '-c', code)

+        self.assertEqual(res2int(res), (100000, 100000))

+

+        res = assert_python_ok('-c', code, PYTHONINTMAXSTRDIGITS='0')

+        self.assertEqual(res2int(res), (0, 0))

+        res = assert_python_ok('-c', code, PYTHONINTMAXSTRDIGITS='4000')

+        self.assertEqual(res2int(res), (4000, 4000))

+        res = assert_python_ok(

+            '-X', 'int_max_str_digits=6000', '-c', code,

+            PYTHONINTMAXSTRDIGITS='4000'

+        )

+        self.assertEqual(res2int(res), (6000, 6000))

+

 @unittest.skipIf(interpreter_requires_environment(),

                  'Cannot run -I tests when PYTHON env vars are required.')

diff --git a/Lib/test/test_compile.py b/Lib/test/test_compile.py

index 55716fd..ec776b9 100644

--- a/Lib/test/test_compile.py

+++ b/Lib/test/test_compile.py

@@ -189,6 +189,19 @@ if 1:

         self.assertEqual(eval("0o777"), 511)

         self.assertEqual(eval("-0o0000010"), -8)

+    def test_int_literals_too_long(self):

+        n = 3000

+        source = f"a = 1\nb = 2\nc = {'3'*n}\nd = 4"

+        with support.adjust_int_max_str_digits(n):

+            compile(source, "<long_int_pass>", "exec")  # no errors.

+        with support.adjust_int_max_str_digits(n-1):

+            with self.assertRaises(SyntaxError) as err_ctx:

+                compile(source, "<long_int_fail>", "exec")

+            exc = err_ctx.exception

+            self.assertEqual(exc.lineno, 3)

+            self.assertIn('Exceeds the limit ', str(exc))

+            self.assertIn(' Consider hexadecimal ', str(exc))

+

     def test_unary_minus(self):

         # Verify treatment of unary minus on negative numbers SF bug #660455

         if sys.maxsize == 2147483647:

diff --git a/Lib/test/test_decimal.py b/Lib/test/test_decimal.py

index 3f30a93..c992815 100644

--- a/Lib/test/test_decimal.py

+++ b/Lib/test/test_decimal.py

@@ -2462,6 +2462,15 @@ class CUsabilityTest(UsabilityTest):

 class PyUsabilityTest(UsabilityTest):

     decimal = P

+    def setUp(self):

+        super().setUp()

+        self._previous_int_limit = sys.get_int_max_str_digits()

+        sys.set_int_max_str_digits(7000)

+

+    def tearDown(self):

+        sys.set_int_max_str_digits(self._previous_int_limit)

+        super().tearDown()

+

 class PythonAPItests(unittest.TestCase):

     def test_abc(self):

@@ -4519,6 +4528,15 @@ class CCoverage(Coverage):

 class PyCoverage(Coverage):

     decimal = P

+    def setUp(self):

+        super().setUp()

+        self._previous_int_limit = sys.get_int_max_str_digits()

+        sys.set_int_max_str_digits(7000)

+

+    def tearDown(self):

+        sys.set_int_max_str_digits(self._previous_int_limit)

+        super().tearDown()