Message77186
It turns out the problems in array are more serious than I thought and
allow writing to unallocated memory through a memoryview leading to
memory corruption, segfaults and possibly exploits. The following
example extends an array enough to trigger a realloc of the array's buffer.
Python 3.0 (r30:67503, Dec 4 2008, 13:30:57)
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from array import array
>>> a = array('i', range(16))
>>> m = memoryview(a)
>>> a.extend(array('i', range(48))
... )
>>> m[:] = array('i', [0] * (len(m) // m.itemsize))
*** glibc detected *** python3.0: corrupted double-linked list:
0x0822c1f8 *** |
|
Date |
User |
Action |
Args |
2008-12-06 23:21:32 | gumpy | set | recipients:
+ gumpy, pitrou |
2008-12-06 23:21:32 | gumpy | set | messageid: <1228605692.57.0.745414993844.issue4509@psf.upfronthosting.co.za> |
2008-12-06 23:21:32 | gumpy | link | issue4509 messages |
2008-12-06 23:21:31 | gumpy | create | |
|