Antoine Pitrou [EMAIL PROTECTED] added the comment:
There may be other places this can happen but I haven't checked yet.
PyByteArray_Resize() is called in various places in bytearrayobject.c,
some of them where it is mandatory to mutate the underlying storage
before reallocating it. The
Antoine Pitrou [EMAIL PROTECTED] added the comment:
New bytearray patch at http://codereview.appspot.com/10049. I think I've
covered all bases. array.array will need another patch (I must admit I
care a bit less about it, since it's not a builtin type).
The patch will have to be backported for
gumpy [EMAIL PROTECTED] added the comment:
It turns out the problems in array are more serious than I thought and
allow writing to unallocated memory through a memoryview leading to
memory corruption, segfaults and possibly exploits. The following
example extends an array enough to trigger a
Antoine Pitrou [EMAIL PROTECTED] added the comment:
The segfault happens even when the array is not being resized, I've
opened a separate bug for it: #4509.
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue4509
Antoine Pitrou [EMAIL PROTECTED] added the comment:
Please see patch at http://codereview.appspot.com/10049
--
keywords: +needs review, patch
stage: needs patch - patch review
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue4509
gumpy [EMAIL PROTECTED] added the comment:
I found another related bug. In bytes_setslice, when the buffer is
resized to a smaller size, a memmove happens regardless of whether the
resize is successful or not.
b = bytearray(range(10))
m = memoryview(b)
b[1:8] = b'X'
Traceback (most recent
Antoine Pitrou [EMAIL PROTECTED] added the comment:
It's not a memoryview bug, but a bytearray oddity. The bytearray uses a
variable-sized buffer underneath, and it tries to minimize the number of
reallocations when changing the object length through some simple
heuristics. Therefore, a
New submission from gumpy [EMAIL PROTECTED]:
I'm unsure of the expected behavior in this case but it seems odd. The
bytearray in the following example can be resized to a length of 5-10
bytes without throwing an exception.
Python 3.0rc3 (r30rc3:67312, Dec 3 2008, 10:38:14)
[GCC 4.2.4