str.find() and str.rfind() reads non initialized memory (using
memcmp()) if start is bigger than end.

Attached patch fixes the issue and includes a patch.

In my test, start=6287518193 is an arbitrary value, it may crash or
not. The test might use any random integer > 0.

The bug was introduced in Python 2.5 during the needforspeed sprint:
r46469 (May 27 2006).
http://wiki.python.org/moin/NeedForSpeed

Python < 2.5 is not affected, Python 3.x is affected.

CRASH_rfind.py is more stable and should always crash if your Python
version has the bug.

This bug does not occur on Debian 64 bits.

 ~ $ uname -srvm
Linux 2.6.30-bpo.1-amd64 #1 SMP Mon Aug 17 08:42:50 UTC 2009 x86_64

Tested with variants:
        from random import getrandbits
        self.checkequal(-1, 'ab', 'find', 'xxx', getrandbits(64), 0)
        self.checkequal(-1, 'ab', 'find', 'xxx', getrandbits(96), 0)
        self.checkequal(-1, 'ab', 'rfind', 'xxx', getrandbits(64), 0)
        self.checkequal(-1, 'ab', 'rfind', 'xxx', getrandbits(96), 0)

> This bug does not occur on Debian 64 bits.

It does, sometime :-) Read uninitiliazed memory doesn't always crash.

   $ python -c "'ab'.rfind('xxx', (1 << 63) + 10, 0)"
   Erreur de segmentation

Note: my 64 bits test in CRASH_rfind.py is wrong, ctypes.c_long should
be used instead of ctypes.c_int.

New patch with a more stable test. test_unicode does also fail (error
or crash) without the patch on find.h.

I got it to crash (2.7):

~ $ ./python Lib/test/regrtest.py string_tests test_unicode test_str
test_unicode
test test_unicode failed -- Traceback (most recent call last):
AssertionError: -1 != -8276732

test_str
test test_str failed -- Traceback (most recent call last):
AssertionError: -1 != -255833

2 tests failed:
    test_unicode test_str
[56425 refs]
~ $ 

Thank you haypo :)

You shouldn't harcode 1 << 63 and 1 << 64, but calculate them based on
sys.maxsize instead.

pitrou> You shouldn't harcode 1 << 63 and 1 << 64, but calculate 
pitrou> them based on sys.maxsize instead.

(sys.maxint) Yes, you're right. Does str_find-3.patch looks better?
It's not easy to always detect an Heisenbug :-)

sys.maxint/sys.maxsize: oops, sys.maxsize *does* exist (in Python >=
2.6), sorry. Here is a new patch using sys.maxsize.

Anyway, sys.maxsize sounds better because the integer overflow occurs
in a Py_ssize_t variable (j).

I reviewed the patch, and it seems partially redundant.

Actually the "find" method was not broken.
There is already a test "if (str_len < 0) return -1;" for this one.

See attached patch.

flox> Actually the "find" method was not broken.

Oh, you're right, str.find() was already fixed by r66631 (related to
issue #3967). I prefer your patch flox ;-)

I fixed this issue title.

I proposed a patch which solve this issue and improve performance of
str.rfind. See issue 7462.

Ok, I've committed the tests after the patch for issue7462 removed the offending code. Thanks!

> Ok, I've committed the tests after the patch for issue7462 removed the offending code. Thanks!

r77241 and r77247 in trunk