New submission from Daniel Sturm <voodoo...@gmail.com>: The mid index computation in _bisectmodule.c in both internal_bisect_right and internal_bisect_left is done with:
mid = (lo + hi) / 2; // all three variables Py_ssize_t which is susceptible to overflows for large arrays, which would lead to undefined behavior (and in practice almost certainly a crash with a negative index) The fix is trivial - mid = lo + (hi - lo) / 2; - but since I'm just starting to look into the code base I may be missing some undocumented assertions that guarantee this can't happen. ---------- components: Extension Modules messages: 148517 nosy: Voo priority: normal severity: normal status: open title: bisect module: Overflow at index computation type: behavior versions: Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13496> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
