From 7e1098befe178e4b93657a4d49e6a354037beec4 Mon Sep 17 00:00:00 2001
From: Jan Sturm <jansturm92@googlemail.com>
Date: Tue, 29 Oct 2024 19:26:19 +0100
Subject: [PATCH 1/2] py/objdeque: Fix buffer overflow in deque_subscr.

In `deque_subscr()`, if `index_val` equals `self->alloc`, the index
correction `index_val -= self->alloc` does not execute, leading to an
out-of-bounds access in `self->items[index_val]`.

The fix in this commit ensures that the index correction is applied
whenever `index_val >= self->alloc`, preventing access beyond the allocated
buffer size.

Signed-off-by: Jan Sturm <jansturm92@googlemail.com>
---
 py/objdeque.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/py/objdeque.c b/py/objdeque.c
index 2ad771284df53..22c380a05a926 100644
--- a/py/objdeque.c
+++ b/py/objdeque.c
@@ -208,7 +208,7 @@ static mp_obj_t deque_subscr(mp_obj_t self_in, mp_obj_t index, mp_obj_t value) {
 
     size_t offset = mp_get_index(self->base.type, deque_len(self), index, false);
     size_t index_val = self->i_get + offset;
-    if (index_val > self->alloc) {
+    if (index_val >= self->alloc) {
         index_val -= self->alloc;
     }
 

From c88a9d60a17594bfd72d57b073eeb9150019b52c Mon Sep 17 00:00:00 2001
From: Damien George <damien@micropython.org>
Date: Wed, 30 Oct 2024 15:07:58 +1100
Subject: [PATCH 2/2] tests/basics/deque2.py: Add tests for deque
 subscript-from-end.

Signed-off-by: Damien George <damien@micropython.org>
---
 tests/basics/deque2.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/basics/deque2.py b/tests/basics/deque2.py
index 3552d5be37abe..ebc0872c7b4e0 100644
--- a/tests/basics/deque2.py
+++ b/tests/basics/deque2.py
@@ -31,6 +31,16 @@
 d[3] = 5
 print(d[3])
 
+# Access the last element via index, when the last element is at various locations
+d = deque((), 2)
+for i in range(4):
+    d.append(i)
+    print(i, d[-1])
+
+# Write the last element then access all elements from the end
+d[-1] = 4
+print(d[-2], d[-1])
+
 # Accessing indices out of bounds raises IndexError
 try:
     d[4]

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/micropython/micropython/pull/16108.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/micropython/micropython/pull/16108.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/micropython/micropython/pull/16108.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/micropython/micropython/pull/16108.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>