Message 117448 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	dmalcolm
Recipients	dmalcolm
Date	2010-09-27.15:11:31
SpamBayes Score	7.872874e-09
Marked as misclassified	No
Message-id	<1285600296.08.0.731959847047.issue9960@psf.upfronthosting.co.za>
In-reply-to

Content
test test_structmembers crashed -- <type 'exceptions.ValueError'>: string too long Traceback (most recent call last): File "/builddir/build/BUILD/Python-2.7/Lib/test/regrtest.py", line 863, in runtest_inner the_package = __import__(abstest, globals(), locals(), []) File "/builddir/build/BUILD/Python-2.7/Lib/test/test_structmembers.py", line 12, in <module> 9.99999, 10.1010101010, "hi") ValueError: string too long _testcapimodule.c: test_structmembers_new's fmt has: "s#" and these args: &s, &string_len for grabbing this data: const char s = NULL; Py_ssize_t string_len = 0; However, the module doesn't define PY_SSIZE_T_CLEAN, which leads to &string_len being treated as an (int) rather than a (Py_ssize_t) and thus written to with just the first 32-bits of the size, rather than the full size. The PyArgs_ call without PY_SSIZE_T_CLEAN writes the size of the string (2) through (int)&string_len, writing 0x00000002 to the first 4 bytes, setting the 64-bit "string_len" value to 0x0000000200000000 i.e. 2^34, wildly too large for the iirc 5 byte buffer. Confirmed in gdb: (gdb) p string_len $2 = 8589934592 (gdb) p /x string_len $3 = 0x200000000 Am attaching a patch (against 2.7 maintenance branch) which defines PY_SSIZE_T_CLEAN; doing so requires updating another int to be a Py_ssize_t in that module, within test_u_code. http://docs.python.org/c-api/arg.html lists "u# (Unicode) [Py_UNICODE *, int]" and has no reference to the effect of PY_SSIZE_T_CLEAN on the "u#" format specifier. My reading of Python/getargs.c is that this macro does affect "u#" in a manner analogous to "s#"; does this documentation need clarifying?

test test_structmembers crashed -- <type 'exceptions.ValueError'>:
string too long
Traceback (most recent call last):
  File "/builddir/build/BUILD/Python-2.7/Lib/test/regrtest.py", line 863, in runtest_inner
    the_package = __import__(abstest, globals(), locals(), [])
  File "/builddir/build/BUILD/Python-2.7/Lib/test/test_structmembers.py", line 12, in <module>
    9.99999, 10.1010101010, "hi")
ValueError: string too long

_testcapimodule.c: test_structmembers_new's fmt has:
  "s#"
and these args:
  &s, &string_len

for grabbing this data:
    const char *s = NULL;
    Py_ssize_t string_len = 0;

However, the module doesn't define PY_SSIZE_T_CLEAN, which leads to &string_len being treated as an (int*) rather than a (Py_ssize_t*) and thus written to with just the first 32-bits of the size, rather than the full size.

The PyArgs_ call without PY_SSIZE_T_CLEAN writes the size of the string (2) through (int*)&string_len, writing 0x00000002 to the first 4 bytes, setting the 64-bit "string_len" value to 0x0000000200000000 i.e. 2^34, wildly too large for the iirc 5 byte buffer.

Confirmed in gdb:
  (gdb) p string_len
  $2 = 8589934592

  (gdb) p /x string_len
  $3 = 0x200000000

Am attaching a patch (against 2.7 maintenance branch) which defines PY_SSIZE_T_CLEAN; doing so requires updating another int to be a Py_ssize_t in that module, within test_u_code.


http://docs.python.org/c-api/arg.html lists "u# (Unicode) [Py_UNICODE *, int]" and has no reference to the effect of PY_SSIZE_T_CLEAN on the "u#" format specifier.  My reading of Python/getargs.c is that this macro does affect "u#" in a manner analogous to "s#"; does this documentation need clarifying?

History
Date	User	Action	Args
2010-09-27 15:11:36	dmalcolm	set	recipients: + dmalcolm
2010-09-27 15:11:36	dmalcolm	set	messageid: <1285600296.08.0.731959847047.issue9960@psf.upfronthosting.co.za>
2010-09-27 15:11:33	dmalcolm	link	issue9960 messages
2010-09-27 15:11:32	dmalcolm	create