Message225369
Python contains a lot of tests like this one:
if (length > PY_SSIZE_T_MAX / 4)
return PyErr_NoMemory();
where length type is Py_ssize_t.
This test uses signed integers. There is usually a "assert(length > 0);" before.
The issue #22110 enabled more compiler warnings and there are now warnings when the test uses an unsigned number. Example:
if (size > PY_SSIZE_T_MAX - PyBytesObject_SIZE) ...
where PyBytesObject_SIZE is defined using offsetof() which returns a size_t.
I propose to always cast Py_ssize_t length to size_t to avoid undefined behaviour (I never know if the compiler chooses signed or unsigned at the end) to ensure that the test also fail for negative number. For example, the following test must fail for negative size:
if ((size_t)size > (size_t)PY_SSIZE_T_MAX - PyBytesObject_SIZE) ...
Attached patch changes bytesobject.c, tupleobject.c and unicodeobject.c (and asdl.c). If the global approach is accepted, more files should be patched. |
|
Date |
User |
Action |
Args |
2014-08-15 22:03:20 | vstinner | set | recipients:
+ vstinner, neologix, serhiy.storchaka |
2014-08-15 22:03:19 | vstinner | set | messageid: <1408140199.72.0.115939936455.issue22207@psf.upfronthosting.co.za> |
2014-08-15 22:03:19 | vstinner | link | issue22207 messages |
2014-08-15 22:03:19 | vstinner | create | |
|