Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflow in array.array.remove() #80466

Closed
sth mannequin opened this issue Mar 14, 2019 · 3 comments
Closed

Integer overflow in array.array.remove() #80466

sth mannequin opened this issue Mar 14, 2019 · 3 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@sth
Copy link
Mannequin

sth mannequin commented Mar 14, 2019

BPO 36285
Nosy @vstinner, @sth, @serhiy-storchaka, @iritkatriel
PRs
  • bpo-36285: Array module int overflow #12317
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2020-10-18.09:37:52.776>
created_at = <Date 2019-03-14.00:02:42.253>
labels = ['extension-modules', '3.7', '3.8', 'type-crash']
title = 'Integer overflow in array.array.remove()'
updated_at = <Date 2020-10-18.09:37:52.776>
user = 'https://github.com/sth'

    bugs.python.org fields:

    activity = <Date 2020-10-18.09:37:52.776>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2020-10-18.09:37:52.776>
closer = 'serhiy.storchaka'
components = ['Extension Modules']
creation = <Date 2019-03-14.00:02:42.253>
creator = 'sth'
dependencies = []
files = []
hgrepos = []
issue_num = 36285
keywords = ['patch']
message_count = 3.0
messages = ['337889', '338508', '378767']
nosy_count = 4.0
nosy_names = ['vstinner', 'sth', 'serhiy.storchaka', 'iritkatriel']
pr_nums = ['12317']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue36285'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8']
    @sth
    Copy link
    Mannequin Author

    sth mannequin commented Mar 14, 2019

    The array module's array.remove(x) iterates over the array, searching for x. If the array contains >=2G elements this can overflow the int loop variable.

    array__array_reconstructor_impl() also contains loops with int variables that likely have the similar problems.

    Changing the loop variables to Py_ssize_t fixes the problem. For details see the PR.

    @sth sth mannequin added 3.7 (EOL) end of life 3.8 only security fixes extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump labels Mar 14, 2019
    @serhiy-storchaka
    Copy link
    Member

    New changeset aa3ecb8 by Serhiy Storchaka (sth) in branch 'master':
    bpo-36285: Fix integer overflow in the array module. (GH-12317)
    aa3ecb8

    @iritkatriel
    Copy link
    Member

    Can this be closed? It was not backported to 3.7, but that's over now right?

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @iritkatriel @serhiy-storchaka