New submission from paul: # Bug # --- # # static PyObject * # cwr_new(PyTypeObject *type, PyObject *args, PyObject *kwds) # { # ... # 1 indices = PyMem_Malloc(r * sizeof(Py_ssize_t)); # ... # for (i=0 ; i<r ; i++) # 2 indices[i] = 0; # # # 1. if r=2^30, then r*sizeof(Py_ssize_t)=2^30*2^2=0 (modulo 2^32), so malloc # allocates a 0 byte buffer # 2. r=2^30>0, so we write well beyond the buffer's end # # Crash # ----- # # Breakpoint 1, cwr_new (type=0x83392a0 <cwr_type>, args=('AA', 1073741824), kwds=0x0) at ./Modules/itertoolsmodule.c:2684 # 2684 PyObject *pool = NULL; # ... # 2703 indices = PyMem_Malloc(r * sizeof(Py_ssize_t)); # (gdb) print r # $1 = 1073741824 # (gdb) print r*4 # $2 = 0 # (gdb) c # Continuing. # # Program received signal SIGSEGV, Segmentation fault. # 0x0822fdcd in cwr_new (type=0x83392a0 <cwr_type>, args=('AA', 1073741824), kwds=0x0) at ./Modules/itertoolsmodule.c:2710 # 2710 indices[i] = 0; # # OS info # ------- # # % ./python -V # Python 3.4.1 # # % uname -a # Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux # import itertools as it it.combinations_with_replacement("AA", 2**30)
---------- files: poc_cwr.py messages: 235173 nosy: pkt priority: normal severity: normal status: open title: integer overflow in itertools.combinations_with_replacement type: crash versions: Python 3.4 Added file: http://bugs.python.org/file37964/poc_cwr.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23365> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com