New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Python 3: Segfault instead of MemoryError when bytearray too big #66531
Comments
On Python 3, but not Python 2, you crash with a Segmentation Fault instead of getting a MemoryError as expected. It seems to only be a problem with bytearray, not with other things like tuple: $ python3
Python 3.4.0 (default, Apr 11 2014, 13:05:18)
[GCC 4.8.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> bytearray(0x7FFFFFFF)
Segmentation fault (core dumped)
$ compare to: $ python
Python 2.7.6 (default, Mar 22 2014, 22:59:38)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> bytearray(0x7FFFFFFF)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError
>>>
$ python3
Python 3.4.0 (default, Apr 11 2014, 13:05:18)
[GCC 4.8.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> (0,)*0x7FFFFFFF
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError
>>> |
Looks as integer overflow introduced in bpo-19087. + if (size + logical_offset + 1 < alloc) { |
This patch should fix it. |
On a second thought, "logical_offset + 1" alone could overflow; and there are apparently other possible integer overflows in this function. |
"logical_offset + 1" can't overflow because logical_offset is an offset in allocated array not counting final null byte. |
Note that there are two possible crashes in debug mode: $ ./python -c "bytearray(2**31-1)"
Erreur de segmentation
$ ./python -c "bytearray(2**31-2)"
python: Objects/obmalloc.c:1179: _PyObject_Alloc: Assertion `nelem <= ((Py_ssize_t)(((size_t)-1)>>1)) / elsize' failed.
Abandon |
Here is a patch. It also fixes a bug in the debug allocators, which didn't properly check for Py_ssize_t overflow. |
LGTM. |
New changeset 1590c594550e by Antoine Pitrou in branch '3.4': New changeset f0b334ae95c9 by Antoine Pitrou in branch 'default': |
Thank you. This is now pushed. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: