This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author martin.panter
Recipients Decorater, martin.panter, serhiy.storchaka, xiang.zhang, ztane
Date 2016-07-16.15:35:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1468683325.83.0.281039068579.issue27507@psf.upfronthosting.co.za>
In-reply-to
Content 
Not particularly related, but the special fast case in Objects/listobject.c:811, listextend(), also seems to lack an overflow check.

“An alternative would be to raise the error without trying to allocate Py_SSIZE_T_MAX first”: what I meant was removing the special case to allocate PY_SSIZE_T_MAX. As soon as it attempts to overallocate 2+ GiB of memory it fails. Something more like

addition = len >> 1;
if (addition > PY_SSIZE_T_MAX - len - 1) {
    /* . . . */
    return PyErr_NoMemory();
}
buf_size = len + addition;

Antti: in this case we are allocating an array of _bytes_, not pointers. So maybe it is possible to reach the limit with a 32-bit address space.
History
Date User Action Args
2016-07-16 15:35:25martin.pantersetrecipients: + martin.panter, serhiy.storchaka, ztane, xiang.zhang, Decorater
2016-07-16 15:35:25martin.pantersetmessageid: <1468683325.83.0.281039068579.issue27507@psf.upfronthosting.co.za>
2016-07-16 15:35:25martin.panterlinkissue27507 messages
2016-07-16 15:35:25martin.pantercreate