New submission from Stefan Krah: A Py_ssize_t overflow can be constructed in _PySequence_BytesToCharpArray(). Patch attached.
Demonstration (requires revision >= 2af78f8a98e1): Python 3.3.0b2+ (default:2af78f8a98e1, Aug 20 2012, 11:38:54) [GCC 4.4.3] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import sys, _posixsubprocess [65851 refs] >>> class Z(object): ... def __len__(self): ... return sys.maxsize ... def __getitem__(self, i): ... return b'x' ... [65923 refs] >>> _posixsubprocess.fork_exec(1,Z(),3,[1, 2],5,6,7,8,9,10,11,12,13,14,15,16,17) Segmentation fault ---------- components: Interpreter Core files: bytes_to_charp_array_overflow.diff keywords: patch messages: 168643 nosy: skrah priority: normal severity: normal stage: patch review status: open title: Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray() type: crash versions: Python 3.2, Python 3.3 Added file: http://bugs.python.org/file26925/bytes_to_charp_array_overflow.diff _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue15736> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
