From b55c40419e3bdf325ed5ebc73e9473dab3eaf090 Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Fri, 10 Jan 2025 04:51:45 +0100
Subject: [PATCH] [3.12] gh-126862: Use `Py_ssize_t` instead of `int` when
 processing the number of super-classes  (GH-127523) (#128700)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

gh-126862: Use `Py_ssize_t` instead of `int` when processing the number of super-classes  (GH-127523)
(cherry picked from commit 2fcdc8488c32d18f4567f797094068a994777f16)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
---
 .../2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst        | 2 ++
 Objects/typeobject.c                                      | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst

diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst
new file mode 100644
index 00000000000000..d930c2963e3632
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2024-12-02-18-15-37.gh-issue-126862.fdIK7T.rst
@@ -0,0 +1,2 @@
+Fix a possible overflow when a class inherits from an absurd number of
+super-classes. Reported by Valery Fedorenko. Patch by Bénédikt Tran.
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index 06857e3685740a..b0c79d34e6525b 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -2319,7 +2319,7 @@ vectorcall_maybe(PyThreadState *tstate, PyObject *name,
  */
 
 static int
-tail_contains(PyObject *tuple, int whence, PyObject *o)
+tail_contains(PyObject *tuple, Py_ssize_t whence, PyObject *o)
 {
     Py_ssize_t j, size;
     size = PyTuple_GET_SIZE(tuple);
@@ -2382,7 +2382,7 @@ check_duplicates(PyObject *tuple)
 */
 
 static void
-set_mro_error(PyObject **to_merge, Py_ssize_t to_merge_size, int *remain)
+set_mro_error(PyObject **to_merge, Py_ssize_t to_merge_size, Py_ssize_t *remain)
 {
     Py_ssize_t i, n, off;
     char buf[1000];
@@ -2437,13 +2437,13 @@ pmerge(PyObject *acc, PyObject **to_merge, Py_ssize_t to_merge_size)
 {
     int res = 0;
     Py_ssize_t i, j, empty_cnt;
-    int *remain;
+    Py_ssize_t *remain;
 
     /* remain stores an index into each sublist of to_merge.
        remain[i] is the index of the next base in to_merge[i]
        that is not included in acc.
     */
-    remain = PyMem_New(int, to_merge_size);
+    remain = PyMem_New(Py_ssize_t, to_merge_size);
     if (remain == NULL) {
         PyErr_NoMemory();
         return -1;