Author hakril
Recipients hakril
Date 2014-11-25.10:56:32
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1416912993.1.0.671503723984.issue22939@psf.upfronthosting.co.za>
In-reply-to
Content
I found an interger overflow in the standard iterator object (Objects/iterobject.c)

The `it_index` attribute used by the iterator is a `Py_ssize_t` but overflow is never checked. So after the index `PY_SSIZE_T_MAX`, the iterator object will ask for the index `PY_SSIZE_T_MIN`.

Here is an example:

    import sys

    class Seq:
        def __getitem__(self, item):
            print("[-] Asked for item at <{0}>".format(item))
            return 0

    s = Seq()
    i = iter(s)
    # Manually set `it_index` to PY_SSIZE_T_MAX without a loop
    i.__setstate__(sys.maxsize)

    next(i)
    [-] Asked for item at <9223372036854775807>
    next(i)
    [-] Asked for item at <-9223372036854775808>


I would be really interested in writing a patch but first I wanted to discuss the expected behaviour and fix.

The iterator could stop after `PY_SSIZE_T_MAX` but it seems strange as other iterator (like `enumobject`) handle values bigger than `PY_SSIZE_T_MAX`.

Or the same technique used in `enumobject` could be used: adding a field `PyObject* en_longindex` (a python long) which would be used for values bigger than `PY_SSIZE_T_MAX`
History
Date User Action Args
2014-11-25 10:56:33hakrilsetrecipients: + hakril
2014-11-25 10:56:33hakrilsetmessageid: <1416912993.1.0.671503723984.issue22939@psf.upfronthosting.co.za>
2014-11-25 10:56:33hakrillinkissue22939 messages
2014-11-25 10:56:32hakrilcreate