Message 225369 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	neologix, serhiy.storchaka, vstinner
Date	2014-08-15.22:03:18
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1408140199.72.0.115939936455.issue22207@psf.upfronthosting.co.za>
In-reply-to

Content
Python contains a lot of tests like this one: if (length > PY_SSIZE_T_MAX / 4) return PyErr_NoMemory(); where length type is Py_ssize_t. This test uses signed integers. There is usually a "assert(length > 0);" before. The issue #22110 enabled more compiler warnings and there are now warnings when the test uses an unsigned number. Example: if (size > PY_SSIZE_T_MAX - PyBytesObject_SIZE) ... where PyBytesObject_SIZE is defined using offsetof() which returns a size_t. I propose to always cast Py_ssize_t length to size_t to avoid undefined behaviour (I never know if the compiler chooses signed or unsigned at the end) to ensure that the test also fail for negative number. For example, the following test must fail for negative size: if ((size_t)size > (size_t)PY_SSIZE_T_MAX - PyBytesObject_SIZE) ... Attached patch changes bytesobject.c, tupleobject.c and unicodeobject.c (and asdl.c). If the global approach is accepted, more files should be patched.

Python contains a lot of tests like this one:

    if (length > PY_SSIZE_T_MAX / 4)
         return PyErr_NoMemory();

where length type is Py_ssize_t.

This test uses signed integers. There is usually a "assert(length > 0);" before.

The issue #22110 enabled more compiler warnings and there are now warnings when the test uses an unsigned number. Example:

   if (size > PY_SSIZE_T_MAX - PyBytesObject_SIZE) ...

where PyBytesObject_SIZE is defined using offsetof() which returns a size_t.

I propose to always cast Py_ssize_t length to size_t to avoid undefined behaviour (I never know if the compiler chooses signed or unsigned at the end) to ensure that the test also fail for negative number. For example, the following test must fail for negative size:

   if ((size_t)size > (size_t)PY_SSIZE_T_MAX - PyBytesObject_SIZE) ...

Attached patch changes bytesobject.c, tupleobject.c and unicodeobject.c (and asdl.c). If the global approach is accepted, more files should be patched.

History
Date	User	Action	Args
2014-08-15 22:03:20	vstinner	set	recipients: + vstinner, neologix, serhiy.storchaka
2014-08-15 22:03:19	vstinner	set	messageid: <1408140199.72.0.115939936455.issue22207@psf.upfronthosting.co.za>
2014-08-15 22:03:19	vstinner	link	issue22207 messages
2014-08-15 22:03:19	vstinner	create