Author serhiy.storchaka
Recipients methane, serhiy.storchaka, vstinner
Date 2016-11-18.12:31:57
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1479472318.01.0.342885521632.issue28731@psf.upfronthosting.co.za>
In-reply-to
Content
The condition in the loop in _PyDict_NewPresized() contains the test newsize > 0. This is a check for integer overflow. But it doesn't make much sense. First, the overflow is undefined behavior, and it is too late to detect it when it already is happen. Second, after detecting the negative value just is passed to new_keys_object() which either is crashed in debug build or makes other integer overflow and creates invalid object.

I would add a runtime check that minused is less than PY_SSIZE_MAX/3 (or more strong PY_SSIZE_MAX/3*2/sizeof(Pobject *)). This would guarantee that integer overflow is not possible. The test "newsize > 0" could be removed.

There is similar code in dictresize().
History
Date User Action Args
2016-11-18 12:31:58serhiy.storchakasetrecipients: + serhiy.storchaka, vstinner, methane
2016-11-18 12:31:58serhiy.storchakasetmessageid: <1479472318.01.0.342885521632.issue28731@psf.upfronthosting.co.za>
2016-11-18 12:31:57serhiy.storchakalinkissue28731 messages
2016-11-18 12:31:57serhiy.storchakacreate