Message 229455 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pkt
Recipients	pkt
Date	2014-10-15.14:50:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1413384630.17.0.213972312804.issue22643@psf.upfronthosting.co.za>
In-reply-to

Content
Crashes python 3.4.1. # Objects\unicodeobject.c # # static PyObject * # case_operation(PyObject self, # Py_ssize_t (perform)(int, void , Py_ssize_t, Py_UCS4 , Py_UCS4 )) # { # PyObject res = NULL; # Py_ssize_t length, newlength = 0; # int kind, outkind; # (...) # 1 length = PyUnicode_GET_LENGTH(self); # 2 tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length); # (...) # 3 newlength = perform(kind, data, length, tmp, &maxchar); # # 1. there are no safety checks # 2. 12*length overflows # 3. perform() writes to tmp buffer, which is too small to hold the result

Crashes python 3.4.1. 

# Objects\unicodeobject.c
# 
# static PyObject *
# case_operation(PyObject *self,
#                Py_ssize_t (*perform)(int, void *, Py_ssize_t, Py_UCS4 *, Py_UCS4 *))
# {
#     PyObject *res = NULL;
#     Py_ssize_t length, newlength = 0;
#     int kind, outkind;
#     (...)
# 1   length = PyUnicode_GET_LENGTH(self);
# 2   tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length);
#     (...)
# 3   newlength = perform(kind, data, length, tmp, &maxchar);
# 
# 1. there are no safety checks 
# 2. 12*length overflows
# 3. perform() writes to tmp buffer, which is too small to hold the result

History
Date	User	Action	Args
2014-10-15 14:50:30	pkt	set	recipients: + pkt
2014-10-15 14:50:30	pkt	set	messageid: <1413384630.17.0.213972312804.issue22643@psf.upfronthosting.co.za>
2014-10-15 14:50:30	pkt	link	issue22643 messages
2014-10-15 14:50:30	pkt	create