Issue 15736: Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/59941

classification

Title:	Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Type:	crash	Stage:	resolved
Components:	Interpreter Core	Versions:	Python 3.2, Python 3.3

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	Nosy List:	loewis, python-dev, skrah
Priority:	normal	Keywords:	patch

Created on 2012年08月20日 09:55 by skrah, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
bytes_to_charp_array_overflow.diff	skrah, 2012年08月20日 09:55	review
issue15736.diff	skrah, 2012年08月20日 15:14	review

Messages (7)
msg168643 - (view)	Author: Stefan Krah (skrah) * (Python committer)	Date: 2012年08月20日 09:55
A Py_ssize_t overflow can be constructed in _PySequence_BytesToCharpArray(). Patch attached. Demonstration (requires revision >= 2af78f8a98e1): Python 3.3.0b2+ (default:2af78f8a98e1, Aug 20 2012, 11:38:54) [GCC 4.4.3] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import sys, _posixsubprocess [65851 refs] >>> class Z(object): ... def __len__(self): ... return sys.maxsize ... def __getitem__(self, i): ... return b'x' ... [65923 refs] >>> _posixsubprocess.fork_exec(1,Z(),3,[1, 2],5,6,7,8,9,10,11,12,13,14,15,16,17) Segmentation fault
msg168653 - (view)	Author: Martin v. Löwis (loewis) * (Python committer)	Date: 2012年08月20日 12:37
It's fine if the Rietveld comments are addressed.
msg168670 - (view)	Author: Stefan Krah (skrah) * (Python committer)	Date: 2012年08月20日 15:09
issue15736.diff shows what I meant in the comments. I find this slightly more readable than casting the big RHS expression.
msg168671 - (view)	Author: Stefan Krah (skrah) * (Python committer)	Date: 2012年08月20日 15:14
Sorry, the right diff this time.
msg168691 - (view)	Author: Stefan Krah (skrah) * (Python committer)	Date: 2012年08月20日 18:53
Bad news: gcc-4.6.3 needs the size_t cast, otherwise it warns with both the assert() and the (argc < 0) version. So I suggest using the size_t cast and a comment.
msg168745 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2012年08月21日 06:31
New changeset dbbf3ccf72e8 by Stefan Krah in branch '3.2': Issue #15736: Fix overflow in _PySequence_BytesToCharpArray(). http://hg.python.org/cpython/rev/dbbf3ccf72e8
msg168746 - (view)	Author: Stefan Krah (skrah) * (Python committer)	Date: 2012年08月21日 06:37
I used the cast for gcc >= 4.6 and the assert() as a courtesy to authors of buggy sq_length() functions. Thanks for the comments!

History
Date	User	Action	Args
2022年04月11日 14:57:34	admin	set	github: 59941
2012年08月21日 06:37:07	skrah	set	status: open -> closed resolution: fixed messages: + msg168746 stage: patch review -> resolved
2012年08月21日 06:31:44	python-dev	set	nosy: + python-dev messages: + msg168745
2012年08月20日 18:53:06	skrah	set	messages: + msg168691
2012年08月20日 15:14:32	skrah	set	files: + issue15736.diff messages: + msg168671
2012年08月20日 15:11:18	skrah	set	files: - issue15632.diff
2012年08月20日 15:09:12	skrah	set	files: + issue15632.diff messages: + msg168670
2012年08月20日 12:37:45	loewis	set	nosy: + loewis messages: + msg168653
2012年08月20日 09:55:09	skrah	create

homepage