Issue 22335: Python 3: Segfault instead of MemoryError when bytearray too big

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/66531

classification

Title:	Python 3: Segfault instead of MemoryError when bytearray too big
Type:	crash	Stage:	resolved
Components:	Interpreter Core	Versions:	Python 3.4, Python 3.5

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	Nosy List:	Arfrever, ezio.melotti, jwilk, pitrou, python-dev, serhiy.storchaka, swanson, vstinner
Priority:	normal	Keywords:	patch

Created on 2014年09月04日 10:38 by swanson, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
issue19087.patch	jwilk, 2014年10月14日 16:54	review
ba_resize.patch	pitrou, 2014年11月02日 16:08	review

Messages (10)
msg226356 - (view)	Author: (swanson)	Date: 2014年09月04日 10:38
On Python 3, but not Python 2, you crash with a Segmentation Fault instead of getting a MemoryError as expected. It seems to only be a problem with bytearray, not with other things like tuple: $ python3 Python 3.4.0 (default, Apr 11 2014, 13:05:18) [GCC 4.8.2] on linux Type "help", "copyright", "credits" or "license" for more information. >>> bytearray(0x7FFFFFFF) Segmentation fault (core dumped) $ compare to: $ python Python 2.7.6 (default, Mar 22 2014, 22:59:38) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> bytearray(0x7FFFFFFF) Traceback (most recent call last): File "<stdin>", line 1, in <module> MemoryError >>> $ python3 Python 3.4.0 (default, Apr 11 2014, 13:05:18) [GCC 4.8.2] on linux Type "help", "copyright", "credits" or "license" for more information. >>> (0,)*0x7FFFFFFF Traceback (most recent call last): File "<stdin>", line 1, in <module> MemoryError >>>
msg226358 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer)	Date: 2014年09月04日 11:57
Looks as integer overflow introduced in issue19087. + if (size + logical_offset + 1 < alloc) {
msg229314 - (view)	Author: Jakub Wilk (jwilk)	Date: 2014年10月14日 16:54
This patch should fix it.
msg229322 - (view)	Author: Jakub Wilk (jwilk)	Date: 2014年10月14日 17:44
On a second thought, "logical_offset + 1" alone could overflow; and there are apparently other possible integer overflows in this function.
msg230496 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer)	Date: 2014年11月02日 15:59
"logical_offset + 1" can't overflow because logical_offset is an offset in allocated array not counting final null byte.
msg230497 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2014年11月02日 15:59
Note that there are two possible crashes in debug mode: $ ./python -c "bytearray(231-1)" Erreur de segmentation $ ./python -c "bytearray(231-2)" python: Objects/obmalloc.c:1179: _PyObject_Alloc: Assertion `nelem <= ((Py_ssize_t)(((size_t)-1)>>1)) / elsize' failed. Abandon
msg230499 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2014年11月02日 16:08
Here is a patch. It also fixes a bug in the debug allocators, which didn't properly check for Py_ssize_t overflow.
msg230505 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer)	Date: 2014年11月02日 17:06
LGTM.
msg230509 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2014年11月02日 17:42
New changeset 1590c594550e by Antoine Pitrou in branch '3.4': Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform. https://hg.python.org/cpython/rev/1590c594550e New changeset f0b334ae95c9 by Antoine Pitrou in branch 'default': Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform. https://hg.python.org/cpython/rev/f0b334ae95c9
msg230510 - (view)	Author: Antoine Pitrou (pitrou) * (Python committer)	Date: 2014年11月02日 17:43
Thank you. This is now pushed.

History
Date	User	Action	Args
2022年04月11日 14:58:07	admin	set	github: 66531
2014年11月02日 17:43:23	pitrou	set	status: open -> closed resolution: fixed messages: + msg230510 stage: commit review -> resolved
2014年11月02日 17:42:57	python-dev	set	nosy: + python-dev messages: + msg230509
2014年11月02日 17:06:10	serhiy.storchaka	set	messages: + msg230505 stage: patch review -> commit review
2014年11月02日 16:08:20	pitrou	set	components: + Interpreter Core stage: needs patch -> patch review
2014年11月02日 16:08:11	pitrou	set	files: + ba_resize.patch messages: + msg230499
2014年11月02日 15:59:45	pitrou	set	messages: + msg230497
2014年11月02日 15:59:16	serhiy.storchaka	set	messages: + msg230496
2014年11月02日 15:16:25	ezio.melotti	set	nosy: + ezio.melotti
2014年10月14日 23:49:18	Arfrever	set	nosy: + Arfrever
2014年10月14日 17:44:29	jwilk	set	messages: + msg229322
2014年10月14日 16:54:31	jwilk	set	files: + issue19087.patch nosy: + jwilk messages: + msg229314 keywords: + patch
2014年09月04日 11:57:58	vstinner	set	nosy: + vstinner
2014年09月04日 11:57:10	serhiy.storchaka	set	versions: + Python 3.5 nosy: + serhiy.storchaka, pitrou messages: + msg226358 stage: needs patch
2014年09月04日 10:38:57	swanson	create

homepage