➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015-02-01 13:56 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc_combinations.py | pkt, 2015-02-01 13:56 | |||
| itertools_overflows.patch | serhiy.storchaka, 2015-02-02 07:05 | review | ||
| itertools_overflows_2.patch | serhiy.storchaka, 2015-02-02 17:00 | review | ||
| Messages (7) | |||
|---|---|---|---|
| msg235174 - (view) | Author: paul (pkt) | Date: 2015-02-01 13:56 | |
# Bug
# ---
#
# static PyObject *
# combinations_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
# {
# ...
#
# 1 indices = PyMem_Malloc(r * sizeof(Py_ssize_t));
# ...
#
# for (i=0 ; i<r ; i++)
# 2 indices[i] = i;
#
# 1. if r=2^30, then r*sizeof(Py_ssize_t)=2^30*2^2=0 (modulo 2^32), so malloc
# allocates a 0 byte buffer
# 2. r=2^30>0, so we write well beyond the buffer's end
#
# Crash
# -----
#
# Breakpoint 1, combinations_new (type=0x83390c0 <combinations_type>, args=('AA', 1073741824), kwds=0x0)
# at ./Modules/itertoolsmodule.c:2343
# 2343 PyObject *pool = NULL;
# ...
# (gdb) n
# 2362 indices = PyMem_Malloc(r * sizeof(Py_ssize_t));
# (gdb) print r
# $1 = 1073741824
# (gdb) print r*4
# $2 = 0
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x0822f359 in combinations_new (type=0x83390c0 <combinations_type>, args=('AA', 1073741824), kwds=0x0)
# at ./Modules/itertoolsmodule.c:2369
# 2369 indices[i] = i;
# OS info
# -------
#
# % ./python -V
# Python 3.4.1
#
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#
import itertools as it
it.combinations("AA", 2**30)
|
|||
| msg235216 - (view) | Author: Roundup Robot (python-dev)  |
Date: 2015-02-02 02:04 | |
New changeset 014886dae5c4 by Benjamin Peterson in branch '3.3': detect overflow in combinations (closes #23366) https://hg.python.org/cpython/rev/014886dae5c4 New changeset 2f73de7ffcf5 by Benjamin Peterson in branch '3.4': merge 3.3 (#23366) https://hg.python.org/cpython/rev/2f73de7ffcf5 New changeset 886559229911 by Benjamin Peterson in branch 'default': merge 3.4 (#23366) https://hg.python.org/cpython/rev/886559229911 New changeset fe203370c049 by Benjamin Peterson in branch '2.7': detect overflow in combinations (closes #23366) https://hg.python.org/cpython/rev/fe203370c049 |
|||
| msg235227 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) *  |
Date: 2015-02-02 07:05 | |
This commit (and three other) causes compiler warnings:
./Modules/itertoolsmodule.c: In function ‘product_new’:
./Modules/itertoolsmodule.c:2025:20: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (repeat > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
^
./Modules/itertoolsmodule.c:2026:19: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
nargs > PY_SSIZE_T_MAX/(repeat * sizeof(Py_ssize_t))) {
^
./Modules/itertoolsmodule.c: In function ‘combinations_new’:
./Modules/itertoolsmodule.c:2371:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
^
./Modules/itertoolsmodule.c: In function ‘cwr_new’:
./Modules/itertoolsmodule.c:2716:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
^
./Modules/itertoolsmodule.c: In function ‘permutations_new’:
./Modules/itertoolsmodule.c:3061:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (n > PY_SSIZE_T_MAX/sizeof(Py_ssize_t) ||
^
./Modules/itertoolsmodule.c:3062:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
r > PY_SSIZE_T_MAX/sizeof(Py_ssize_t)) {
^
May be use PyMem_New instead of PyMem_Malloc?
|
|||
| msg235272 - (view) | Author: Serhiy Storchaka (serhiy.storchaka) * |
Date: 2015-02-02 17:00 | |
And with this patch an OverflowError in tests should be replaced with (OverflowError, MemoryError). Updated patch also fixes other bugs in itertools tests. |
|||
| msg235299 - (view) | Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2015-02-02 22:54 | |
lgtm |
|||
| msg235308 - (view) | Author: Roundup Robot (python-dev) |
Date: 2015-02-03 00:05 | |
New changeset 356ed025dbae by Serhiy Storchaka in branch '3.3': Issues #23363, #23364, #23365, #23366: Fixed itertools overflow tests. https://hg.python.org/cpython/rev/356ed025dbae New changeset 98c720c3e061 by Serhiy Storchaka in branch '3.4': Issues #23363, #23364, #23365, #23366: Fixed itertools overflow tests. https://hg.python.org/cpython/rev/98c720c3e061 New changeset 4cb316fe6bf2 by Serhiy Storchaka in branch 'default': Issues #23363, #23364, #23365, #23366: Fixed itertools overflow tests. https://hg.python.org/cpython/rev/4cb316fe6bf2 |
|||
| msg235378 - (view) | Author: Roundup Robot (python-dev) |
Date: 2015-02-04 06:09 | |
New changeset 887526ebb013 by Serhiy Storchaka in branch '2.7': Issues #23363, #23364, #23365, #23366: Fixed itertools overflow tests. https://hg.python.org/cpython/rev/887526ebb013 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:12 | admin | set | github: 67555 |
| 2015-02-04 06:09:59 | python-dev | set | messages: + msg235378 |
| 2015-02-04 01:25:01 | Arfrever | set | versions: + Python 2.7, Python 3.3, Python 3.5 |
| 2015-02-03 07:42:09 | serhiy.storchaka | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2015-02-03 00:05:22 | python-dev | set | messages: + msg235308 |
| 2015-02-02 22:54:29 | benjamin.peterson | set | nosy:
+ benjamin.peterson messages: + msg235299 |
| 2015-02-02 17:00:09 | serhiy.storchaka | set | files:
+ itertools_overflows_2.patch resolution: fixed -> (no value) messages: + msg235272 stage: resolved -> patch review |
| 2015-02-02 07:05:08 | serhiy.storchaka | set | status: closed -> open files: + itertools_overflows.patch nosy: + serhiy.storchaka messages: + msg235227 keywords: + patch |
| 2015-02-02 02:04:58 | python-dev | set | status: open -> closed nosy: + python-dev messages: + msg235216 resolution: fixed stage: resolved |
| 2015-02-01 21:17:40 | Arfrever | set | nosy:
+ Arfrever |
| 2015-02-01 13:56:22 | pkt | create | |