Issue 15736: Crash #2 (constructed overflow) in _PySequence_BytesToCharpArray() (original) (raw)

A Py_ssize_t overflow can be constructed in _PySequence_BytesToCharpArray(). Patch attached.

Demonstration (requires revision >= 2af78f8a98e1):

Python 3.3.0b2+ (default:2af78f8a98e1, Aug 20 2012, 11:38:54) [GCC 4.4.3] on linux Type "help", "copyright", "credits" or "license" for more information.

import sys, _posixsubprocess [65851 refs] class Z(object): ... def len(self): ... return sys.maxsize ... def getitem(self, i): ... return b'x' ... [65923 refs] _posixsubprocess.fork_exec(1,Z(),3,[1, 2],5,6,7,8,9,10,11,12,13,14,15,16,17) Segmentation fault