This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gumpy
Recipients gumpy, pitrou
Date 2008-12-06.23:21:31
SpamBayes Score 0.007575672
Marked as misclassified No
Message-id <1228605692.57.0.745414993844.issue4509@psf.upfronthosting.co.za>
In-reply-to
Content 
It turns out the problems in array are more serious than I thought and
allow writing to unallocated memory through a memoryview leading to
memory corruption, segfaults and possibly exploits. The following
example extends an array enough to trigger a realloc of the array's buffer.

Python 3.0 (r30:67503, Dec  4 2008, 13:30:57) 
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from array import array
>>> a = array('i', range(16))
>>> m = memoryview(a)
>>> a.extend(array('i', range(48))
... )
>>> m[:] = array('i', [0] * (len(m) // m.itemsize))
*** glibc detected *** python3.0: corrupted double-linked list:
0x0822c1f8 ***
History
Date User Action Args
2008-12-06 23:21:32gumpysetrecipients: + gumpy, pitrou
2008-12-06 23:21:32gumpysetmessageid: <1228605692.57.0.745414993844.issue4509@psf.upfronthosting.co.za>
2008-12-06 23:21:32gumpylinkissue4509 messages
2008-12-06 23:21:31gumpycreate