New submission from david <db.pub.m...@gmail.com>: The _PyString_Resize function in stringobject.c[0] takes in a PyObject ** and a Py_ssize_t newsize. Where Py_ssize_t is often a typedef for ssize_t(a signed version of size_t). As such the newsize parameter could be negative. The code checks for when the newsize is negative like so:
int _PyString_Resize(PyObject **pv, Py_ssize_t newsize) { ... if (!PyString_Check(v) || Py_REFCNT(v) != 1 || newsize < 0 || PyString_CHECK_INTERNED(v)) { *pv = 0; Py_DECREF(v); PyErr_BadInternalCall(); return -1; } Unfortunately, a few lines below it does the following: *pv = (PyObject *) PyObject_REALLOC((char *)v, PyStringObject_SIZE + newsize); so now if PyStringObject_SIZE + newsize is enough to wrap around then realloc through python will end up allocating insufficient space for the 'new' string. The python interpreter is likely to crash on this line --> sv->ob_sval[newsize] = '\0'; I haven't tried to reproduce this in the python interpreter. IMHO the code should be checking that newline + PyStringObject_SIZE is non-negative. [0] - http://svn.python.org/projects/python/trunk/Objects/stringobject.c ---------- messages: 146927 nosy: db priority: normal severity: normal status: open title: Erroneous Size check in _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13334> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com