Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bytes_concat seems to check overflow using undefined behaviour #71660

Closed
zhangyangyu opened this issue Jul 9, 2016 · 16 comments
Closed

bytes_concat seems to check overflow using undefined behaviour #71660

zhangyangyu opened this issue Jul 9, 2016 · 16 comments
Assignees
@serhiy-storchaka
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error

Comments

@zhangyangyu
Copy link
Member

BPO 27473
Nosy @vadmium, @serhiy-storchaka, @ztane, @zhangyangyu
Files
  • bytes_concat_overflow_check.patch
  • bytes_concat_overflow_check_v2.patch: include bytearray concat
  • bytes_concat_overflow_check_v3.patch
  • concat_and_repeat_overflow_check-2.7.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/serhiy-storchaka'
closed_at = <Date 2016-07-12.12:47:56.171>
created_at = <Date 2016-07-09.16:46:44.595>
labels = ['interpreter-core', 'type-bug']
title = 'bytes_concat seems to check overflow using undefined behaviour'
updated_at = <Date 2016-07-12.12:47:56.170>
user = 'https://github.com/zhangyangyu'

    bugs.python.org fields:

    activity = <Date 2016-07-12.12:47:56.170>
actor = 'serhiy.storchaka'
assignee = 'serhiy.storchaka'
closed = True
closed_date = <Date 2016-07-12.12:47:56.171>
closer = 'serhiy.storchaka'
components = ['Interpreter Core']
creation = <Date 2016-07-09.16:46:44.595>
creator = 'xiang.zhang'
dependencies = []
files = ['43671', '43675', '43676', '43678']
hgrepos = []
issue_num = 27473
keywords = ['patch']
message_count = 16.0
messages = ['270053', '270066', '270072', '270075', '270076', '270079', '270081', '270082', '270087', '270092', '270094', '270096', '270123', '270127', '270153', '270240']
nosy_count = 5.0
nosy_names = ['python-dev', 'martin.panter', 'serhiy.storchaka', 'ztane', 'xiang.zhang']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue27473'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6']
    @zhangyangyu
    Copy link
    Member Author

    bytes_concat uses following code to check overflow:

    size = va.len + vb.len;
if (size < 0): {
    PyErr_NoMemory();
    goto done;
}

    This is wrong since signed ints overflow is undefined bahaviour.

    But one point is that Python's Makefile defines -fwrapv with gcc and
    clang. So I am not sure this needs to be changed or not. But in other
    parts of Python code I don't see any overflow check like this. I only
    see pre-calculated overflow checks.

    @zhangyangyu zhangyangyu added the type-bug An unexpected behavior, bug, or error label Jul 9, 2016
    @serhiy-storchaka
    Copy link
    Member

    This should be fixed.

    @serhiy-storchaka serhiy-storchaka added the interpreter-core (Objects, Python, Grammar, and Parser dirs) label Jul 9, 2016
    @zhangyangyu
    Copy link
    Member Author

    Attach a patch to fix this.

    @vadmium
    Copy link
    Member

    vadmium commented Jul 10, 2016

    The patch looks correct to me.

    bpo-1621 is open about the general problem of overflows.

    @vadmium
    Copy link
    Member

    vadmium commented Jul 10, 2016

    I changed the versions without checking first. Long story short: Objects/stringobject.c (Python 2 equivalent of Objects/bytesobject.c) is already fixed, but in all versions, Objects/bytearrayobject.c is apparently unfixed.

    Python 2 was fixed as part of r65335. Python 3 was supposed to be fixed in r66009 (bpo-3627), but it looks like some of the fixes were missed.

    @ztane
    Copy link
    Mannequin

    ztane mannequin commented Jul 10, 2016

    The previous code was perfectly fine with -fwrapv since it makes signed overflow behaviour defined. And afaik BDFLs stance is that signed integer overflow should be defined to wrap anyhow.

    ----

    In my opinion the -fwrapv itself makes one proliferate all these insane wrap-checks; indeed I'd rather have them defined in a macro, something like

        if (PYSSIZE_OVERFLOWS_ON_ADD(va.len, vb.len)) {
        PyErr_NoMemory();
        goto done;
    }
        size = va.len + vb.len;

    even though -fwrapv is defined; that way it'd be obvious what is supposed to happen there.

    @zhangyangyu
    Copy link
    Member Author

    Yes, the current code is valid with -fwrapv. But I am not sure if every compiler supports this feature. So maybe we can't totally rely on it. And in bpo-1621, some efforts seem to have worked to factor these out.

    @serhiy-storchaka
    Copy link
    Member

    Xiang Zhang, could you please write a patch for bytearray too?

    @zhangyangyu
    Copy link
    Member Author

    Of course. I forgot to check bytearray. :(

    The new patch now also includes bytearray.

    @serhiy-storchaka
    Copy link
    Member

    And bytearray_iconcat() please.

    @zhangyangyu
    Copy link
    Member Author

    Sorry. v3 now includes iconcat.

    @serhiy-storchaka
    Copy link
    Member

    LGTM.

    @serhiy-storchaka serhiy-storchaka self-assigned this Jul 10, 2016
    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jul 10, 2016

    New changeset dac248056b20 by Serhiy Storchaka in branch '3.5':
    Issue bpo-27473: Fixed possible integer overflow in bytes and bytearray
    https://hg.python.org/cpython/rev/dac248056b20

    New changeset de8f0e9196d8 by Serhiy Storchaka in branch 'default':
    Issue bpo-27473: Fixed possible integer overflow in bytes and bytearray
    https://hg.python.org/cpython/rev/de8f0e9196d8

    @serhiy-storchaka
    Copy link
    Member

    Here is a patch for 2.7. It fixes also concatenation and repetition of str and unicode.

    @zhangyangyu
    Copy link
    Member Author

    Left a comment.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jul 12, 2016

    New changeset 130d97217e36 by Serhiy Storchaka in branch '2.7':
    Issue bpo-27473: Fixed possible integer overflow in str, unicode and bytearray
    https://hg.python.org/cpython/rev/130d97217e36

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @serhiy-storchaka serhiy-storchaka

    Labels
    interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @vadmium @serhiy-storchaka @zhangyangyu