New submission from david <[email protected]>:
The _PyString_Resize function in stringobject.c[0] takes in a PyObject ** and a
Py_ssize_t newsize. Where Py_ssize_t is often a typedef for ssize_t(a signed
version of size_t). As such the newsize parameter could be negative.
The code checks for when the newsize is negative like so:
int
_PyString_Resize(PyObject **pv, Py_ssize_t newsize)
{
...
if (!PyString_Check(v) || Py_REFCNT(v) != 1 || newsize < 0 ||
PyString_CHECK_INTERNED(v)) {
*pv = 0;
Py_DECREF(v);
PyErr_BadInternalCall();
return -1;
}
Unfortunately, a few lines below it does the following:
*pv = (PyObject *)
PyObject_REALLOC((char *)v, PyStringObject_SIZE + newsize);
so now if PyStringObject_SIZE + newsize is enough to wrap around then realloc
through python will end up allocating insufficient space for the 'new' string.
The python interpreter is likely to crash on this line -->
sv->ob_sval[newsize] = '\0';
I haven't tried to reproduce this in the python interpreter.
IMHO the code should be checking that newline + PyStringObject_SIZE is
non-negative.
[0] - http://svn.python.org/projects/python/trunk/Objects/stringobject.c
----------
messages: 146927
nosy: db
priority: normal
severity: normal
status: open
title: Erroneous Size check in
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue13334>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
