This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author asdfasdfasdfasdfasdfasdfasdf
Recipients asdfasdfasdfasdfasdfasdfasdf
Date 2011-11-03.12:50:01
SpamBayes Score 3.733704e-10
Marked as misclassified No
Message-id <1320324602.51.0.635021711304.issue13334@psf.upfronthosting.co.za>
In-reply-to
Content 
The _PyString_Resize function in stringobject.c[0] takes in a PyObject ** and a Py_ssize_t newsize. Where Py_ssize_t is often a typedef for ssize_t(a signed version of size_t). As such the newsize parameter could be negative. 
The code checks for when the newsize is negative like so:

 int
_PyString_Resize(PyObject **pv, Py_ssize_t newsize)
{
...
    if (!PyString_Check(v) || Py_REFCNT(v) != 1 || newsize < 0 ||
        PyString_CHECK_INTERNED(v)) {
        *pv = 0;
        Py_DECREF(v);
        PyErr_BadInternalCall();
        return -1;
    }

Unfortunately, a few lines below it does the following:
 *pv = (PyObject *)
        PyObject_REALLOC((char *)v, PyStringObject_SIZE + newsize);

so now if PyStringObject_SIZE + newsize is enough to wrap around then realloc through python will end up allocating insufficient space for the 'new' string. The python interpreter is likely to crash on this line --> 

    sv->ob_sval[newsize] = '\0';

 
I haven't tried to reproduce this in the python interpreter. 
IMHO the code should be checking that newline + PyStringObject_SIZE is non-negative. 


[0] - http://svn.python.org/projects/python/trunk/Objects/stringobject.c
History
Date User Action Args
2011-11-03 12:50:02asdfasdfasdfasdfasdfasdfasdfsetrecipients: + asdfasdfasdfasdfasdfasdfasdf
2011-11-03 12:50:02asdfasdfasdfasdfasdfasdfasdfsetmessageid: <1320324602.51.0.635021711304.issue13334@psf.upfronthosting.co.za>
2011-11-03 12:50:01asdfasdfasdfasdfasdfasdfasdflinkissue13334 messages
2011-11-03 12:50:01asdfasdfasdfasdfasdfasdfasdfcreate