New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get rid of dangerous integer overflow tricks #60300
Comments
In several places such dungerous code used to check the integer overflow: size = n * itemsize;
if (size / itemsize != n) raise exception... Because these values are signed, this results in undefined behavior. The proposed patches replace similar unsafe code to safe one. Note that the patches for the different versions are substantially different. |
The patches looks good for me, but I like to double check before commit. |
It's maybe safer (and simpler) to not touch such code in Python older than 3.4. |
So far, I've been fixing these overflow bugs only in the development branches, unless they can be shown to cause actual bugs. That said, I think it's probably okay to apply these for 3.3 as well as 3.4, especially since the 3.3 patch is smaller than the others. I'll review and apply. |
It's becouse 3.3 already contains some fixes which was not be backported to |
Yes, exactly! That's what I meant when I said: "So far, I've been fixing these overflow bugs only in the development branches" There were lots of integer overflow occurrences like these found by John Regehr in bpo-9530. I chose to fix those only in the current development branch, which was 3.3 at the time. Since we've made an effort to clean up 3.3 in that respect, I think it's worth finishing that job off by applying your patch both to 3.3 and 3.4. |
See bpo-14700. |
Serhiy, I don't understand what you're getting at. Can you explain? |
New changeset 152d85b2da3a by Mark Dickinson in branch '3.3': New changeset faae99459b43 by Mark Dickinson in branch 'default': |
Applied the 3.3 patch to 3.3 and default, with some minor changes:
|
Whoops. I take it back about the Objects/longobject.c bit. Fixing ... |
New changeset 906ae6485cb8 by Mark Dickinson in branch '3.3': New changeset b728aac3bdb3 by Mark Dickinson in branch 'default': |
Yes, reopening bpo-14700 sounds good to me. I'm not against fixing these issues in the bugfix branches, but we need to do it carefully (which unfortunately probably also means slowly). I think that for the bugfix branches, each fix should be accompanied by a test that exercises the original bug. I'd also suggest having a separate issue for each bug, for ease of review. I'd probably also prioritise those bugs that can be triggered without having huge structures in memory: e.g., the bpo-14700 bug seems more important to fix than the PyTuple_New bug. |
Here are updated to current codebase patches for 2.7 and 3.2. It seems that |
I withdraw my patches for 2.7 and 3.2 due to the fact that they have no visible effect on supported platforms. Patches for 3.3+ already committed, therefore I close this issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: