This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015年02月01日 13:53 by pkt, last changed 2022年04月11日 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc_translate.py | pkt, 2015年02月01日 13:53 | |||
| Messages (3) | |||
|---|---|---|---|
| msg235169 - (view) | Author: paul (pkt) | Date: 2015年02月01日 13:53 | |
# Bug
# ---
#
# PyObject *
# _PyUnicode_TranslateCharmap(PyObject *input,
# PyObject *mapping,
# const char *errors)
# {
# ...
# size = PyUnicode_GET_LENGTH(input);
# ...
# osize = size;
# 1 output = PyMem_Malloc(osize * sizeof(Py_UCS4));
#
# 1. Input size = 2^30, so osize*sizeof(Py_UCS4)=2^32==0 (modulo 2^32) and malloc
# allocates a 0 byte buffer
#
# Crash
# -----
#
# Breakpoint 2, _PyUnicode_TranslateCharmap (
# input='aa...', mapping={97: 'b'}, errors=0x828c82b "ignore") at Objects/unicodeobject.c:8597
# 8597 {
# ...
# 8636 output = PyMem_Malloc(osize * sizeof(Py_UCS4));
# (gdb) print osize
# 1ドル = 1073741824
# (gdb) print osize*4
# 2ドル = 0
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x0814aed2 in charmaptranslate_output (
# input='aa...', ipos=51302, mapping={97: 'b'}, output=0xbfc40860, osize=0xbfc40864, opos=0xbfc40868,
# res=0xbfc40874) at Objects/unicodeobject.c:8574
# 8574 (*output)[(*opos)++] = PyUnicode_READ_CHAR(*res, 0);
#
# OS info
# -------
#
# % ./python -V
# Python 3.4.1
#
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#
s="a"*(2**30)
s.translate({ord('a'): 'b'})
|
|||
| msg235185 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) | Date: 2015年02月01日 17:25 | |
Do you want to provide a patch? |
|||
| msg237070 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2015年03月02日 18:24 | |
New changeset 21cd7f83e0aa by Benjamin Peterson in branch '3.3': use PyMem_NEW to detect overflow (closes #23362) https://hg.python.org/cpython/rev/21cd7f83e0aa New changeset 880906bbf792 by Benjamin Peterson in branch '3.4': merge 3.3 (#23362) https://hg.python.org/cpython/rev/880906bbf792 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:58:12 | admin | set | github: 67551 |
| 2015年03月03日 05:10:21 | Arfrever | set | versions: + Python 3.3, Python 3.5 |
| 2015年03月02日 19:25:43 | serhiy.storchaka | set | assignee: serhiy.storchaka -> benjamin.peterson nosy: + benjamin.peterson |
| 2015年03月02日 18:24:37 | python-dev | set | status: open -> closed nosy: + python-dev messages: + msg237070 resolution: fixed stage: resolved |
| 2015年03月02日 17:02:15 | serhiy.storchaka | set | assignee: serhiy.storchaka |
| 2015年02月01日 21:16:58 | Arfrever | set | nosy:
+ Arfrever |
| 2015年02月01日 17:25:11 | serhiy.storchaka | set | nosy:
+ serhiy.storchaka messages: + msg235185 |
| 2015年02月01日 13:53:20 | pkt | create | |