Message146927
The _PyString_Resize function in stringobject.c[0] takes in a PyObject ** and a Py_ssize_t newsize. Where Py_ssize_t is often a typedef for ssize_t(a signed version of size_t). As such the newsize parameter could be negative.
The code checks for when the newsize is negative like so:
int
_PyString_Resize(PyObject **pv, Py_ssize_t newsize)
{
...
if (!PyString_Check(v) || Py_REFCNT(v) != 1 || newsize < 0 ||
PyString_CHECK_INTERNED(v)) {
*pv = 0;
Py_DECREF(v);
PyErr_BadInternalCall();
return -1;
}
Unfortunately, a few lines below it does the following:
*pv = (PyObject *)
PyObject_REALLOC((char *)v, PyStringObject_SIZE + newsize);
so now if PyStringObject_SIZE + newsize is enough to wrap around then realloc through python will end up allocating insufficient space for the 'new' string. The python interpreter is likely to crash on this line -->
sv->ob_sval[newsize] = '\0';
I haven't tried to reproduce this in the python interpreter.
IMHO the code should be checking that newline + PyStringObject_SIZE is non-negative.
[0] - http://svn.python.org/projects/python/trunk/Objects/stringobject.c |
|
Date |
User |
Action |
Args |
2011-11-03 12:50:02 | asdfasdfasdfasdfasdfasdfasdf | set | recipients:
+ asdfasdfasdfasdfasdfasdfasdf |
2011-11-03 12:50:02 | asdfasdfasdfasdfasdfasdfasdf | set | messageid: <1320324602.51.0.635021711304.issue13334@psf.upfronthosting.co.za> |
2011-11-03 12:50:01 | asdfasdfasdfasdfasdfasdfasdf | link | issue13334 messages |
2011-11-03 12:50:01 | asdfasdfasdfasdfasdfasdfasdf | create | |
|