Title: Integer overflow in array.array.remove()
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: iritkatriel, serhiy.storchaka, sth, vstinner
Priority: normal Keywords: patch

Created on 2019-03-14 00:02 by sth, last changed 2020-10-18 09:37 by serhiy.storchaka. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 12317 merged sth, 2019-03-14 00:17
Messages (3)
msg337889 - (view) Author: Stephan Hohe (sth) * Date: 2019-03-14 00:02
The array module's `array.remove(x)` iterates over the array, searching for `x`. If the array contains >=2G elements this can overflow the `int` loop variable.

`array__array_reconstructor_impl()` also contains loops with `int` variables that likely have the similar problems.

Changing the loop variables to `Py_ssize_t` fixes the problem. For details see the PR.
msg338508 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2019-03-20 19:49
New changeset aa3ecb80416958eb6fe8cc1b0dfbbfdfbcccead1 by Serhiy Storchaka (sth) in branch 'master':
bpo-36285: Fix integer overflow in the array module. (GH-12317)
msg378767 - (view) Author: Irit Katriel (iritkatriel) * (Python triager) Date: 2020-10-16 22:15
Can this be closed? It was not backported to 3.7, but that's over now right?
Date User Action Args
2020-10-18 09:37:52serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2020-10-16 22:15:13iritkatrielsetnosy: + iritkatriel
messages: + msg378767
2019-03-20 19:49:43serhiy.storchakasetmessages: + msg338508
2019-03-14 01:14:40xtreaksetnosy: + vstinner, serhiy.storchaka
2019-03-14 00:17:53sthsetkeywords: + patch
stage: patch review
pull_requests: + pull_request12291
2019-03-14 00:02:42sthcreate