classification
Title: Integer overflow in array.array.remove()
Type: crash Stage: patch review
Components: Extension Modules Versions: Python 3.8, Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: serhiy.storchaka, sth, vstinner
Priority: normal Keywords: patch

Created on 2019-03-14 00:02 by sth, last changed 2019-03-20 19:49 by serhiy.storchaka.

Pull Requests
URL Status Linked Edit
PR 12317 merged sth, 2019-03-14 00:17
Messages (2)
msg337889 - (view) Author: Stephan Hohe (sth) * Date: 2019-03-14 00:02
The array module's `array.remove(x)` iterates over the array, searching for `x`. If the array contains >=2G elements this can overflow the `int` loop variable.

`array__array_reconstructor_impl()` also contains loops with `int` variables that likely have the similar problems.

Changing the loop variables to `Py_ssize_t` fixes the problem. For details see the PR.
msg338508 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2019-03-20 19:49
New changeset aa3ecb80416958eb6fe8cc1b0dfbbfdfbcccead1 by Serhiy Storchaka (sth) in branch 'master':
bpo-36285: Fix integer overflow in the array module. (GH-12317)
https://github.com/python/cpython/commit/aa3ecb80416958eb6fe8cc1b0dfbbfdfbcccead1
History
Date User Action Args
2019-03-20 19:49:43serhiy.storchakasetmessages: + msg338508
2019-03-14 01:14:40xtreaksetnosy: + vstinner, serhiy.storchaka
2019-03-14 00:17:53sthsetkeywords: + patch
stage: patch review
pull_requests: + pull_request12291
2019-03-14 00:02:42sthcreate