Message231651
I found an interger overflow in the standard iterator object (Objects/iterobject.c)
The `it_index` attribute used by the iterator is a `Py_ssize_t` but overflow is never checked. So after the index `PY_SSIZE_T_MAX`, the iterator object will ask for the index `PY_SSIZE_T_MIN`.
Here is an example:
import sys
class Seq:
def __getitem__(self, item):
print("[-] Asked for item at <{0}>".format(item))
return 0
s = Seq()
i = iter(s)
# Manually set `it_index` to PY_SSIZE_T_MAX without a loop
i.__setstate__(sys.maxsize)
next(i)
[-] Asked for item at <9223372036854775807>
next(i)
[-] Asked for item at <-9223372036854775808>
I would be really interested in writing a patch but first I wanted to discuss the expected behaviour and fix.
The iterator could stop after `PY_SSIZE_T_MAX` but it seems strange as other iterator (like `enumobject`) handle values bigger than `PY_SSIZE_T_MAX`.
Or the same technique used in `enumobject` could be used: adding a field `PyObject* en_longindex` (a python long) which would be used for values bigger than `PY_SSIZE_T_MAX` |
|
Date |
User |
Action |
Args |
2014-11-25 10:56:33 | hakril | set | recipients:
+ hakril |
2014-11-25 10:56:33 | hakril | set | messageid: <1416912993.1.0.671503723984.issue22939@psf.upfronthosting.co.za> |
2014-11-25 10:56:33 | hakril | link | issue22939 messages |
2014-11-25 10:56:32 | hakril | create | |
|