Josh Rosenberg <shadowranger+pyt...@gmail.com> added the comment:

Your analysis would be (almost) correct if a slice object could have a stop 
value of NULL. It's wrong in that the error would be a NULL deference, not a 
silent use of an uninitialized value, but it would be a bug. In your scenario 
where v == NULL, it would pass the test for v != Py_None, then call 
PyIndex_Check(v), and since the macro doesn't check for the passed value being 
NULL, it would perform a NULL deference.

But even that's not possible; PySlice_New (which is ultimately responsible for 
all slice construction) explicitly replaces any argument of NULL with Py_None, 
so there is no such thing as a slice with *any* value being NULL.

So since r->stop is definitely non-NULL, either:

1. It's None, PySlice_Unpack line 232 executes, and stop is initialized

or

2. It's non-None, _PyEval_SliceIndex is called with a v that is definitely not 
None and non-NULL, so it always enters the `if (v != Py_None) {` block, and 
either it received a value index integer, in which case it initializes *pi (aka 
stop) and returns 1 (success), or returns 0 (failure), which means stop is 
never used.

The only way you could trigger your bug is to make a slice with an actual NULL 
for its stop value (and as noted, the bug would be a NULL dereference in 
PyIndex_Check, not a use of an uninitialized value, because v != Py_None would 
return true for v == NULL), which is only possible through intentionally 
misusing PySliceObject (reaching in and tweaking values of the struct 
directly). And if you can do that, you're already a C extension (or ctypes 
code) and can crash the interpreter any number of ways without resorting to 
this level of complexity.

----------
nosy: +josh.r
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue35842>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to