➜ 
This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on 2014-09-04 10:38 by swanson, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| issue19087.patch | jwilk, 2014-10-14 16:54 | review | ||
| ba_resize.patch | pitrou, 2014-11-02 16:08 | review | ||
| Messages (10) | |||
|---|---|---|---|
| msg226356 - (view) | Author: (swanson) | Date: 2014-09-04 10:38 | |
On Python 3, but not Python 2, you crash with a Segmentation Fault instead of getting a MemoryError as expected. It seems to only be a problem with bytearray, not with other things like tuple: $ python3 Python 3.4.0 (default, Apr 11 2014, 13:05:18) [GCC 4.8.2] on linux Type "help", "copyright", "credits" or "license" for more information. >>> bytearray(0x7FFFFFFF) Segmentation fault (core dumped) $ compare to: $ python Python 2.7.6 (default, Mar 22 2014, 22:59:38) [GCC 4.8.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> bytearray(0x7FFFFFFF) Traceback (most recent call last): File "<stdin>", line 1, in <module> MemoryError >>> $ python3 Python 3.4.0 (default, Apr 11 2014, 13:05:18) [GCC 4.8.2] on linux Type "help", "copyright", "credits" or "license" for more information. >>> (0,)*0x7FFFFFFF Traceback (most recent call last): File "<stdin>", line 1, in <module> MemoryError >>> | |||
| msg226358 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) *  | Date: 2014-09-04 11:57 | |
Looks as integer overflow introduced in issue19087. + if (size + logical_offset + 1 < alloc) { | |||
| msg229314 - (view) | Author: Jakub Wilk (jwilk) | Date: 2014-10-14 16:54 | |
This patch should fix it. | |||
| msg229322 - (view) | Author: Jakub Wilk (jwilk) | Date: 2014-10-14 17:44 | |
On a second thought, "logical_offset + 1" alone could overflow; and there are apparently other possible integer overflows in this function. | |||
| msg230496 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * | Date: 2014-11-02 15:59 | |
"logical_offset + 1" can't overflow because logical_offset is an offset in allocated array not counting final null byte. | |||
| msg230497 - (view) | Author: Antoine Pitrou (pitrou) * | Date: 2014-11-02 15:59 | |
Note that there are two possible crashes in debug mode: $ ./python -c "bytearray(2**31-1)" Erreur de segmentation $ ./python -c "bytearray(2**31-2)" python: Objects/obmalloc.c:1179: _PyObject_Alloc: Assertion `nelem <= ((Py_ssize_t)(((size_t)-1)>>1)) / elsize' failed. Abandon | |||
| msg230499 - (view) | Author: Antoine Pitrou (pitrou) * | Date: 2014-11-02 16:08 | |
Here is a patch. It also fixes a bug in the debug allocators, which didn't properly check for Py_ssize_t overflow. | |||
| msg230505 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * | Date: 2014-11-02 17:06 | |
LGTM. | |||
| msg230509 - (view) | Author: Roundup Robot (python-dev)  | Date: 2014-11-02 17:42 | |
New changeset 1590c594550e by Antoine Pitrou in branch '3.4': Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform. https://hg.python.org/cpython/rev/1590c594550e New changeset f0b334ae95c9 by Antoine Pitrou in branch 'default': Issue #22335: Fix crash when trying to enlarge a bytearray to 0x7fffffff bytes on a 32-bit platform. https://hg.python.org/cpython/rev/f0b334ae95c9 | |||
| msg230510 - (view) | Author: Antoine Pitrou (pitrou) * | Date: 2014-11-02 17:43 | |
Thank you. This is now pushed. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:07 | admin | set | github: 66531 |
| 2014-11-02 17:43:23 | pitrou | set | status: open -> closed resolution: fixed messages: + msg230510 stage: commit review -> resolved |
| 2014-11-02 17:42:57 | python-dev | set | nosy: + python-dev messages: + msg230509 |
| 2014-11-02 17:06:10 | serhiy.storchaka | set | messages: + msg230505 stage: patch review -> commit review |
| 2014-11-02 16:08:20 | pitrou | set | components: + Interpreter Core stage: needs patch -> patch review |
| 2014-11-02 16:08:11 | pitrou | set | files: + ba_resize.patch messages: + msg230499 |
| 2014-11-02 15:59:45 | pitrou | set | messages: + msg230497 |
| 2014-11-02 15:59:16 | serhiy.storchaka | set | messages: + msg230496 |
| 2014-11-02 15:16:25 | ezio.melotti | set | nosy: + ezio.melotti |
| 2014-10-14 23:49:18 | Arfrever | set | nosy: + Arfrever |
| 2014-10-14 17:44:29 | jwilk | set | messages: + msg229322 |
| 2014-10-14 16:54:31 | jwilk | set | files: + issue19087.patch nosy: + jwilk messages: + msg229314 keywords: + patch |
| 2014-09-04 11:57:58 | vstinner | set | nosy: + vstinner |
| 2014-09-04 11:57:10 | serhiy.storchaka | set | versions: + Python 3.5 nosy: + serhiy.storchaka, pitrou messages: + msg226358 stage: needs patch |
| 2014-09-04 10:38:57 | swanson | create | |