classification
Title: ctypes: segfault with large structure field names
Type: crash Stage: resolved
Components: ctypes Versions: Python 3.2, Python 3.3, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: meador.inge Nosy List: amaury.forgeotdarc, belopolsky, meador.inge, neologix, python-dev
Priority: normal Keywords: patch

Created on 2011-09-02 03:50 by meador.inge, last changed 2011-10-04 03:58 by meador.inge. This issue is now closed.

Files
File name Uploaded Description Edit
issue12881.patch meador.inge, 2011-09-03 16:12 review
Messages (11)
msg143376 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-09-02 03:50
Reproduced on Fedora 15 with tip Python:

[meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:3102951cc1ce+, Sep  1 2011, 22:19:06) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes
[68588 refs]
>>> class S(ctypes.Structure):
...     _fields_ = [('x' * 10000000, ctypes.c_int)]
... 
Segmentation fault (core dumped)
msg143438 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2011-09-02 21:26
Certainly the effect of some "alloca" call with a large value, then the stack overflows.
msg143441 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-09-02 22:25
On Fri, Sep 2, 2011 at 4:26 PM, Amaury Forgeot d'Arc
<report@bugs.python.org> wrote:
>
> Amaury Forgeot d'Arc <amauryfa@gmail.com> added the comment:
>
> Certainly the effect of some "alloca" call with a large value, then the stack overflows.

Yeah, I noticed that too.  I was actually pretty surprised to see
"alloca" in there :-)
msg143466 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-09-03 16:12
Here is a patch that replaces the 'alloca' call with 'PyMem_Malloc'.
msg143851 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-09-11 03:01
Ping.  Any thoughts on this one?
msg143870 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2011-09-11 15:20
Looks good to me.
msg143889 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2011-09-12 07:57
Note that there is at least one other place where alloca() is used with potentially large values: the POINTER() function in callproc.c.
Also, PyUnicode_FromFormat could be used instead of sprintf.
msg144006 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-09-14 02:42
> Note that there is at least one other place where alloca() is
> used with potentially large values:

Ouch!  I found three more crashers (including the one you found)
by grepping for 'alloca' in ctypes:

>>> from ctypes import *
>>> T = type('x' * 2 ** 25, (Structure,), {})
>>> p = POINTER(T)
Segmentation fault (core dumped)

>>> from ctypes import *
>>> p = POINTER('x' * 2 ** 25)
Segmentation fault (core dumped)

>>> from ctypes import *
>>> NARGS = 2 ** 20
>>> proto = CFUNCTYPE(None, *(c_int,) * NARGS)
>>> def func(*args):
...    return (1, "abc", None)
... 
>>> cb = proto(func)
>>> cb(*(1,) * NARGS)
Segmentation fault (core dumped)

I will fix those too.
msg144399 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-09-22 03:21
I am going to open separate issues for the other crashers.

> Also, PyUnicode_FromFormat could be used instead of sprintf.

Amaury, how so?  'sprintf' and 'stgdict->format' work with 'char *'s 
where as 'PyUnicode_FromFormat' builds a unicode string object.

Unless there are any objections, I am going to commit as is.
msg144849 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2011-10-04 03:40
New changeset aa3ebc2dfc15 by Meador Inge in branch '2.7':
Issue #12881: ctypes: Fix segfault with large structure field names.
http://hg.python.org/cpython/rev/aa3ebc2dfc15

New changeset d05350c14e77 by Meador Inge in branch '3.2':
Issue #12881: ctypes: Fix segfault with large structure field names.
http://hg.python.org/cpython/rev/d05350c14e77

New changeset 2eab632864f6 by Meador Inge in branch 'default':
Issue #12881: ctypes: Fix segfault with large structure field names.
http://hg.python.org/cpython/rev/2eab632864f6
msg144853 - (view) Author: Meador Inge (meador.inge) * (Python committer) Date: 2011-10-04 03:58
Fixed.  Opened issue13096 and issue13097 for the other crashers.
History
Date User Action Args
2011-10-04 03:58:14meador.ingesetstatus: open -> closed
resolution: fixed
messages: + msg144853

stage: commit review -> resolved
2011-10-04 03:40:20python-devsetnosy: + python-dev
messages: + msg144849
2011-09-28 02:29:24meador.ingesetassignee: meador.inge
versions: + Python 2.7, Python 3.2
2011-09-22 03:21:28meador.ingesetmessages: + msg144399
2011-09-14 02:42:58meador.ingesetmessages: + msg144006
2011-09-12 07:57:33amaury.forgeotdarcsetmessages: + msg143889
2011-09-11 15:20:02neologixsetnosy: + neologix

messages: + msg143870
stage: patch review -> commit review
2011-09-11 03:01:59meador.ingesetmessages: + msg143851
2011-09-03 16:12:49meador.ingesetfiles: + issue12881.patch
keywords: + patch
messages: + msg143466

stage: needs patch -> patch review
2011-09-02 22:25:38meador.ingesetmessages: + msg143441
2011-09-02 21:26:11amaury.forgeotdarcsetmessages: + msg143438
2011-09-02 03:50:51meador.ingecreate