[issue4509] possible memoryview bug

2008-12-06 Thread Antoine Pitrou
Antoine Pitrou <[EMAIL PROTECTED]> added the comment: The segfault happens even when the array is not being resized, I've opened a separate bug for it: #4509. ___ Python tracker <[EMAIL PROTECTED]> ___

[issue4509] possible memoryview bug

2008-12-06 Thread gumpy
gumpy <[EMAIL PROTECTED]> added the comment: It turns out the problems in array are more serious than I thought and allow writing to unallocated memory through a memoryview leading to memory corruption, segfaults and possibly exploits. The following example extends an array enough to trigger a re

[issue4509] possible memoryview bug

2008-12-06 Thread Antoine Pitrou
Antoine Pitrou <[EMAIL PROTECTED]> added the comment: New bytearray patch at http://codereview.appspot.com/10049. I think I've covered all bases. array.array will need another patch (I must admit I care a bit less about it, since it's not a builtin type). The patch will have to be backported for

[issue4509] possible memoryview bug

2008-12-06 Thread Antoine Pitrou
Antoine Pitrou <[EMAIL PROTECTED]> added the comment: > There may be other places this can happen but I haven't checked yet. PyByteArray_Resize() is called in various places in bytearrayobject.c, some of them where it is mandatory to mutate the underlying storage before reallocating it. The solu

[issue4509] possible memoryview bug

2008-12-05 Thread gumpy
gumpy <[EMAIL PROTECTED]> added the comment: I found another related bug. In bytes_setslice, when the buffer is resized to a smaller size, a memmove happens regardless of whether the resize is successful or not. >>> b = bytearray(range(10)) >>> m = memoryview(b) >>> b[1:8] = b'X' Traceback (most

[issue4509] possible memoryview bug

2008-12-05 Thread Antoine Pitrou
Antoine Pitrou <[EMAIL PROTECTED]> added the comment: Please see patch at http://codereview.appspot.com/10049 -- keywords: +needs review, patch stage: needs patch -> patch review ___ Python tracker <[EMAIL PROTECTED]>

[issue4509] possible memoryview bug

2008-12-04 Thread Antoine Pitrou
Antoine Pitrou <[EMAIL PROTECTED]> added the comment: It's not a memoryview bug, but a bytearray oddity. The bytearray uses a variable-sized buffer underneath, and it tries to minimize the number of reallocations when changing the object length through some simple heuristics. Therefore, a bytearr

[issue4509] possible memoryview bug

2008-12-03 Thread gumpy
New submission from gumpy <[EMAIL PROTECTED]>: I'm unsure of the expected behavior in this case but it seems odd. The bytearray in the following example can be resized to a length of 5-10 bytes without throwing an exception. Python 3.0rc3 (r30rc3:67312, Dec 3 2008, 10:38:14) [GCC 4.2.4 (Ubun