New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test for integer overflow on Py_ssize_t: explicitly cast to size_t #66403
Comments
Python contains a lot of tests like this one:
where length type is Py_ssize_t. This test uses signed integers. There is usually a "assert(length > 0);" before. The issue bpo-22110 enabled more compiler warnings and there are now warnings when the test uses an unsigned number. Example: if (size > PY_SSIZE_T_MAX - PyBytesObject_SIZE) ... where PyBytesObject_SIZE is defined using offsetof() which returns a size_t. I propose to always cast Py_ssize_t length to size_t to avoid undefined behaviour (I never know if the compiler chooses signed or unsigned at the end) to ensure that the test also fail for negative number. For example, the following test must fail for negative size: if ((size_t)size > (size_t)PY_SSIZE_T_MAX - PyBytesObject_SIZE) ... Attached patch changes bytesobject.c, tupleobject.c and unicodeobject.c (and asdl.c). If the global approach is accepted, more files should be patched. |
overflow2.patch: more changes for this issue (it doesn't replace my previous patch). |
New changeset 97c70528b604 by Victor Stinner in branch 'default': |
I commited the first part. The remaining part is a long patch for unicodeobject.c. |
I think there are too many changes. Here is simpler patch which get rid of all warnings in Objects/unicodeobject.c on my computer (gcc 4.6.3, 32-bit Linux). |
The purpose of my patch is not to make the compiler quiet, but to ensure that negative lengths are handled correctly: Python must raise an error if a length is negative. For example, _PyUnicode_DecodeUnicodeInternal() doesn't check currently if the size is negative. I don't know exactly what happens if you pass a negative size. |
Gregory just has committed an equivalent of unicode_2.patch in a404bf4db6a6. |
modify it as you see fit, i hadn't noticed this issue; just the warnings. |
Yes, these warning annoyed me too. But Victor's patch is purposed to check |
Here is original Victor's patch synchronized with the tip. |
I have reviewed the patch and found only few checks which looks good to me. Also I found two possible overflows (not fixed by the patch). All other changes looks redundant to me and just churn a code. |
Ok, let's close the issue in that case ;-) |
I extracted the cases that really can happen in PR 2623. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: