classification
Title: Invalid reads in fastsearch.h
Type: behavior Stage: resolved
Components: Interpreter Core Versions: Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Stringlib fastsearch can read beyond the front of an array
View: 8530
Assigned To: Nosy List: flox, skrah
Priority: normal Keywords:

Created on 2010-07-12 21:07 by skrah, last changed 2010-07-15 22:17 by skrah. This issue is now closed.

Messages (1)
msg110140 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2010-07-12 21:07
In test_bytes Valgrind finds two reads with negative array indices.


test_bytes
==7341== Invalid read of size 1
==7341==    at 0x4EDA24: fastsearch (fastsearch.h:143)
==7341==    by 0x4F170E: bytearray_find_internal (find.h:42)
==7341==    by 0x4F17BD: bytearray_rindex (bytearrayobject.c:1267)
==7341==    by 0x49DDA0: PyEval_EvalFrameEx (ceval.c:4322)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x49D741: PyEval_EvalFrameEx (ceval.c:4108)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x49B9AB: PyEval_EvalFrameEx (ceval.c:4325)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==  Address 0xcfd37df is 1 bytes before a block of size 6 alloc'd
==7341==    at 0x4C2412C: malloc (vg_replace_malloc.c:195)
==7341==    by 0x4C241A6: realloc (vg_replace_malloc.c:476)
==7341==    by 0x4EF441: PyByteArray_Resize (bytearrayobject.c:259)
==7341==    by 0x4F0F8A: bytearray_iconcat (bytearrayobject.c:340)
==7341==    by 0x4F113E: bytearray_init (bytearrayobject.c:810)
==7341==    by 0x468531: type_call (typeobject.c:723)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x499129: PyEval_EvalFrameEx (ceval.c:4230)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341== 
==7341== 
==7341== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==7341== starting debugger with cmd: /usr/bin/gdb -nw /proc/7507/fd/1014 7507
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Attaching to program: /proc/7507/fd/1014, process 7507
fastsearch (s=0xcfd37e0 "world", n=0, p=0xa0170b4 "worm", m=4, maxcount=<value optimized out>, mode=2) at Objects/stringlib/fastsearch.h:143
143                     if (!STRINGLIB_BLOOM(mask, s[i-1]))
(gdb) p i
$1 = 0




==7341== 
==7341== Debugger has detached.  Valgrind regains control.  We continue.
==7341== Invalid read of size 1
==7341==    at 0x4ED9B0: fastsearch (fastsearch.h:149)
==7341==    by 0x4F0938: bytearray_rsplit (split.h:311)
==7341==    by 0x49E6C1: PyEval_EvalFrameEx (ceval.c:4012)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x49B9AB: PyEval_EvalFrameEx (ceval.c:4325)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x42237E: instancemethod_call (classobject.c:2578)
==7341==  Address 0xf7c508f is 1 bytes before a block of size 12 alloc'd
==7341==    at 0x4C2412C: malloc (vg_replace_malloc.c:195)
==7341==    by 0x4C241A6: realloc (vg_replace_malloc.c:476)
==7341==    by 0x4EF441: PyByteArray_Resize (bytearrayobject.c:259)
==7341==    by 0x4F0F8A: bytearray_iconcat (bytearrayobject.c:340)
==7341==    by 0x4F113E: bytearray_init (bytearrayobject.c:810)
==7341==    by 0x468531: type_call (typeobject.c:723)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x499129: PyEval_EvalFrameEx (ceval.c:4230)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341== 
==7341== 
==7341== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==7341== starting debugger with cmd: /usr/bin/gdb -nw /proc/7534/fd/1014 7534
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Attaching to program: /proc/7534/fd/1014, process 7534
fastsearch (s=0xf7c5090 "mississippi", n=0, p=0x9eba16c "ss", m=2, maxcount=-1, mode=2) at Objects/stringlib/fastsearch.h:149
149                     if (!STRINGLIB_BLOOM(mask, s[i-1]))
(gdb) p i
$1 = 0
History
Date User Action Args
2010-07-15 22:17:16skrahsetstatus: open -> closed
resolution: duplicate
superseder: Stringlib fastsearch can read beyond the front of an array
stage: resolved
2010-07-12 21:29:23skrahsetnosy: + flox
2010-07-12 21:07:06skrahcreate