[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-28 Thread Arfrever Frehtes Taifersar Arahesis
Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: Thank you for your report paul. -- assignee: -> serhiy.storchaka components: +Interpreter Core resolution: -> fixed stage: -> resolved status: open -> closed versions: +Python 3.5 ___ Python tracker

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: > Can we use here then? It is for PyObjects. -- ___ Python tracker ___ ___ Python-bugs-list maili

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Roundup Robot
Roundup Robot added the comment: New changeset 038297948389 by Serhiy Storchaka in branch '3.4': Issue #23490: Fixed possible crashes related to interoperability between https://hg.python.org/cpython/rev/038297948389 New changeset 56c6a4bce996 by Serhiy Storchaka in branch 'default': Issue #2349

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Benjamin Peterson
Benjamin Peterson added the comment: On Fri, Feb 20, 2015, at 12:39, Serhiy Storchaka wrote: > > Serhiy Storchaka added the comment: > > > I think it looks fine except why do you cast PyUnicode_LENGTH to size_t in > > the comparison? > > To silence compiler warning. PyUnicode_LENGTH is signed,

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: > I think it looks fine except why do you cast PyUnicode_LENGTH to size_t in > the comparison? To silence compiler warning. PyUnicode_LENGTH is signed, right hand is unsigned. > I also wonder if we should have PyObject_NEW now. We have PyObject_NEW. --

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Benjamin Peterson
Benjamin Peterson added the comment: I think it looks fine except why do you cast PyUnicode_LENGTH to size_t in the comparison? I also wonder if we should have PyObject_NEW now. -- stage: patch review -> versions: -Python 3.5 ___ Python tracker <

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread Serhiy Storchaka
Serhiy Storchaka added the comment: Here is a patch. There is yet one similar bug in unicodeobject.c. -- keywords: +patch stage: -> patch review versions: +Python 3.5 Added file: http://bugs.python.org/file38189/issue23490.patch ___ Python tracker <

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread STINNER Victor
Changes by STINNER Victor : -- nosy: +benjamin.peterson, haypo, serhiy.storchaka type: crash -> security ___ Python tracker ___ ___ Py

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread paul
paul added the comment: And a nice error: Debug memory block at address p=0x805fc028: API 'o' 0 bytes originally requested The 3 pad bytes at p-3 are FORBIDDENBYTE, as expected. The 4 pad bytes at tail=0x805fc028 are not all FORBIDDENBYTE (0xfb): at tail+0: 0x00 *** OUCH

[issue23490] allocation (and overwrite) of a 0 byte buffer

2015-02-20 Thread paul
New submission from paul: # Bug # --- # # Py_UNICODE * # PyUnicode_AsUnicodeAndSize(PyObject *unicode, Py_ssize_t *size) # { # ... # #endif # wchar_t *w; # wchar_t *wchar_end; # # ... # 1 _PyUnicode_WSTR(unicode) = (wchar_t *) PyObject_MALLOC(sizeof(wchar_t) * #