Message270564
Not particularly related, but the special fast case in Objects/listobject.c:811, listextend(), also seems to lack an overflow check.
“An alternative would be to raise the error without trying to allocate Py_SSIZE_T_MAX first”: what I meant was removing the special case to allocate PY_SSIZE_T_MAX. As soon as it attempts to overallocate 2+ GiB of memory it fails. Something more like
addition = len >> 1;
if (addition > PY_SSIZE_T_MAX - len - 1) {
/* . . . */
return PyErr_NoMemory();
}
buf_size = len + addition;
Antti: in this case we are allocating an array of _bytes_, not pointers. So maybe it is possible to reach the limit with a 32-bit address space. |
|
Date |
User |
Action |
Args |
2016-07-16 15:35:25 | martin.panter | set | recipients:
+ martin.panter, serhiy.storchaka, ztane, xiang.zhang, Decorater |
2016-07-16 15:35:25 | martin.panter | set | messageid: <1468683325.83.0.281039068579.issue27507@psf.upfronthosting.co.za> |
2016-07-16 15:35:25 | martin.panter | link | issue27507 messages |
2016-07-16 15:35:25 | martin.panter | create | |
|