New submission from Larry Hastings: The implementations for LOAD_FAST, STORE_FAST, and DELETE_FAST don't check that the index is <= the size of fastlocals. So it's a snap to crash the interpreter with hand-written bytecode, by going past the end of the fastlocals array. Kaboom!
Attached is a program that demonstrates a crash with each of LOAD_FAST, STORE_FAST, and DELETE_FAST. These all crashed 2.7, 3.2, 3.3, and a recent trunk. (Well, two exceptions: LOAD_FAST and DELETE_FAST didn't crash 3.2. Given the behavior, my suspicion is not that 3.2 is hardened, just that there's something dopey with my thrown-together test.) It could be that this is not an interesting bug, that policy suggests that anyone who can write their own bytecode is a Consenting Adult. You tell me. ---------- components: Interpreter Core files: crashy2.py messages: 181944 nosy: larry priority: normal severity: normal stage: needs patch status: open title: _FAST opcodes do no range checking type: crash versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file29046/crashy2.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17190> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
