gh-146525: Add ndim validation to PyBuffer_ToContiguous for defense-in-depth

Add validation of the ndim parameter in PyBuffer_ToContiguous() and
buffer_to_contiguous() to prevent potential integer overflow in memory
allocation calculations.

While Python-level code already enforces PyBUF_MAX_NDIM (64), C extensions
implementing custom getbufferproc could potentially provide invalid ndim
values. This change adds defense-in-depth validation to ensure ndim is
within the valid range before performing allocations.

The allocation calculation \3 * src->ndim * sizeof(Py_ssize_t)\ could
theoretically overflow if ndim exceeds ~3.8e17 on 64-bit systems, though
this is not practically exploitable. This patch adds explicit validation
as a hardening measure.

Changes:
- PyBuffer_ToContiguous(): Add runtime check for ndim range
- buffer_to_contiguous(): Add assertion for ndim <= PyBUF_MAX_NDIM
- Add test case in test_memoryview.py

This is a hardening improvement, not a fix for an actively exploitable
vulnerability.

Co-authored-by: Lakshmikanthan K <badassletchu@gmail.com>

Author: l3tchupkt

Lib/test/test_memoryview.py

@@ -861,6 +861,20 @@ def test_picklebuffer_reference_loop(self):
         gc.collect()
         self.assertIsNone(wr())
 
+    def test_ndim_limit(self):
+        # gh-146525: Ensure ndim is validated to prevent integer overflow
+        # PyBUF_MAX_NDIM is 64
+        b = bytearray(b"A" * 100)
+        m = memoryview(b)
+
+        # Test that exceeding PyBUF_MAX_NDIM raises ValueError
+        with self.assertRaisesRegex(ValueError, "must not exceed 64"):
+            m.cast('B', shape=tuple([1] * 65))
+
+        # Test that negative ndim is rejected
+        with self.assertRaises((ValueError, TypeError)):
+            m.cast('B', shape=tuple([-1]))
+
 
 @threading_helper.requires_working_threading()
 @support.requires_resource("cpu")

Misc/NEWS.d/next/C_API/2026-03-27-20-55-40.gh-issue-146525.uUYGyi.rst

@@ -0,0 +1,5 @@
+Add validation of the ``ndim`` parameter in :c:func:`PyBuffer_ToContiguous`
+to prevent potential integer overflow in memory allocation calculations.
+While Python-level code already enforces :c:macro:`PyBUF_MAX_NDIM`, this
+change adds defense-in-depth validation for C extensions that might provide
+invalid values. Patch by Lakshmikanthan K.

Objects/memoryobject.c

@@ -500,6 +500,7 @@ buffer_to_contiguous(char *mem, const Py_buffer *src, char order)
     int ret;
 
     assert(src->ndim >= 1);
+    assert(src->ndim <= PyBUF_MAX_NDIM);
     assert(src->shape != NULL);
     assert(src->strides != NULL);
 
@@ -1059,6 +1060,16 @@ PyBuffer_ToContiguous(void *buf, const Py_buffer *src, Py_ssize_t len, char orde
         return -1;
     }
 
+    /* Validate ndim to prevent potential integer overflow in allocation.
+     * While Python-level code enforces PyBUF_MAX_NDIM, C extensions could
+     * potentially provide invalid values. This is a defense-in-depth check. */
+    if (src->ndim < 0 || src->ndim > PyBUF_MAX_NDIM) {
+        PyErr_Format(PyExc_ValueError,
+                     "ndim out of valid range (got %d, expected 0-%d)",
+                     src->ndim, PyBUF_MAX_NDIM);
+        return -1;
+    }
+
     if (PyBuffer_IsContiguous(src, order)) {
         memcpy((char *)buf, src->buf, len);
         return 0;