Author vstinner
Recipients neologix, serhiy.storchaka, vstinner
Date 2014-08-15.22:03:18
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1408140199.72.0.115939936455.issue22207@psf.upfronthosting.co.za>
In-reply-to
Content
Python contains a lot of tests like this one:

    if (length > PY_SSIZE_T_MAX / 4)
         return PyErr_NoMemory();

where length type is Py_ssize_t.

This test uses signed integers. There is usually a "assert(length > 0);" before.

The issue #22110 enabled more compiler warnings and there are now warnings when the test uses an unsigned number. Example:

   if (size > PY_SSIZE_T_MAX - PyBytesObject_SIZE) ...

where PyBytesObject_SIZE is defined using offsetof() which returns a size_t.

I propose to always cast Py_ssize_t length to size_t to avoid undefined behaviour (I never know if the compiler chooses signed or unsigned at the end) to ensure that the test also fail for negative number. For example, the following test must fail for negative size:

   if ((size_t)size > (size_t)PY_SSIZE_T_MAX - PyBytesObject_SIZE) ...

Attached patch changes bytesobject.c, tupleobject.c and unicodeobject.c (and asdl.c). If the global approach is accepted, more files should be patched.
History
Date User Action Args
2014-08-15 22:03:20vstinnersetrecipients: + vstinner, neologix, serhiy.storchaka
2014-08-15 22:03:19vstinnersetmessageid: <1408140199.72.0.115939936455.issue22207@psf.upfronthosting.co.za>
2014-08-15 22:03:19vstinnerlinkissue22207 messages
2014-08-15 22:03:19vstinnercreate