Author larry
Recipients larry
Date 2013-02-12.06:14:33
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1360649674.7.0.74265466328.issue17190@psf.upfronthosting.co.za>
In-reply-to
Content
The implementations for LOAD_FAST, STORE_FAST, and DELETE_FAST don't check that the index is <= the size of fastlocals.  So it's a snap to crash the interpreter with hand-written bytecode, by going past the end of the fastlocals array.  Kaboom!

Attached is a program that demonstrates a crash with each of LOAD_FAST, STORE_FAST, and DELETE_FAST.  These all crashed 2.7, 3.2, 3.3, and a recent trunk.  (Well, two exceptions: LOAD_FAST and DELETE_FAST didn't crash 3.2.  Given the behavior, my suspicion is not that 3.2 is hardened, just that there's something dopey with my thrown-together test.)

It could be that this is not an interesting bug, that policy suggests that anyone who can write their own bytecode is a Consenting Adult.  You tell me.
History
Date User Action Args
2013-02-12 06:14:34larrysetrecipients: + larry
2013-02-12 06:14:34larrysetmessageid: <1360649674.7.0.74265466328.issue17190@psf.upfronthosting.co.za>
2013-02-12 06:14:34larrylinkissue17190 messages
2013-02-12 06:14:34larrycreate