Issue 13334: Erroneous Size check in _PyString_Resize (original) (raw)

Issue13334

Created on 2011-11-03 12:50 by asdfasdfasdfasdfasdfasdfasdf, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (3)
msg146927 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2011-11-03 12:50
The _PyString_Resize function in stringobject.c[0] takes in a PyObject ** and a Py_ssize_t newsize. Where Py_ssize_t is often a typedef for ssize_t(a signed version of size_t). As such the newsize parameter could be negative. The code checks for when the newsize is negative like so: int _PyString_Resize(PyObject **pv, Py_ssize_t newsize) { ... if (!PyString_Check(v) | Py_REFCNT(v) != 1
msg146929 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2011-11-03 13:02
Let's take an example: on a 32bit system, call _PyString_Resize(&s, 0x7ffffff8) Then PyStringObject_SIZE + newsize is something like -0x7ffffff8 (yes, it wraps around and is a negative number) But when cast to an unsigned size_t (because that's what PyObject_REALLOC declares as parameter), it becomes 0x80000008, which is correct even if it is very likely to fail. Did you experience something different?
msg146932 - (view) Author: david (asdfasdfasdfasdfasdfasdfasdf) Date: 2011-11-03 13:12
Yes my bad :-) I got my C test case wrong.
History
Date User Action Args
2022-04-11 14:57:23 admin set github: 57543
2011-11-03 13:14:56 amaury.forgeotdarc set status: open -> closed
2011-11-03 13:12:58 asdfasdfasdfasdfasdfasdfasdf set status: pending -> openmessages: +
2011-11-03 13:02:37 amaury.forgeotdarc set status: open -> pendingnosy: + amaury.forgeotdarcmessages: + resolution: not a bug
2011-11-03 12:59:45 asdfasdfasdfasdfasdfasdfasdf set title: Erroneous Size check in -> Erroneous Size check in _PyString_Resize
2011-11-03 12:59:28 asdfasdfasdfasdfasdfasdfasdf set components: + Noneversions: + Python 2.7
2011-11-03 12:50:01 asdfasdfasdfasdfasdfasdfasdf create