[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Roundup Robot added the comment: New changeset dbbf3ccf72e8 by Stefan Krah in branch '3.2': Issue #15736: Fix overflow in _PySequence_BytesToCharpArray(). http://hg.python.org/cpython/rev/dbbf3ccf72e8 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Stefan Krah added the comment: I used the cast for gcc = 4.6 and the assert() as a courtesy to authors of buggy sq_length() functions. Thanks for the comments! -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
New submission from Stefan Krah: A Py_ssize_t overflow can be constructed in _PySequence_BytesToCharpArray(). Patch attached. Demonstration (requires revision = 2af78f8a98e1): Python 3.3.0b2+ (default:2af78f8a98e1, Aug 20 2012, 11:38:54) [GCC 4.4.3] on linux Type help, copyright, credits or license for more information. import sys, _posixsubprocess [65851 refs] class Z(object): ... def __len__(self): ... return sys.maxsize ... def __getitem__(self, i): ... return b'x' ... [65923 refs] _posixsubprocess.fork_exec(1,Z(),3,[1, 2],5,6,7,8,9,10,11,12,13,14,15,16,17) Segmentation fault -- components: Interpreter Core files: bytes_to_charp_array_overflow.diff keywords: patch messages: 168643 nosy: skrah priority: normal severity: normal stage: patch review status: open title: Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray() type: crash versions: Python 3.2, Python 3.3 Added file: http://bugs.python.org/file26925/bytes_to_charp_array_overflow.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Martin v. Löwis added the comment: It's fine if the Rietveld comments are addressed. -- nosy: +loewis ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Stefan Krah added the comment: issue15736.diff shows what I meant in the comments. I find this slightly more readable than casting the big RHS expression. -- Added file: http://bugs.python.org/file26931/issue15632.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Changes by Stefan Krah stefan-use...@bytereef.org: Removed file: http://bugs.python.org/file26931/issue15632.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Stefan Krah added the comment: Sorry, the right diff this time. -- Added file: http://bugs.python.org/file26932/issue15736.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15736] Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray()
Stefan Krah added the comment: Bad news: gcc-4.6.3 needs the size_t cast, otherwise it warns with both the assert() and the (argc 0) version. So I suggest using the size_t cast and a comment. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15736 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com