➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2004-08-09 05:34 by ddorfman, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| listindex.diff | ddorfman, 2004-08-09 05:34 | Diff against listobject.c and test case | ||
| Messages (2) | |||
|---|---|---|---|
| msg46589 - (view) | Author: Dima Dorfman (ddorfman) | Date: 2004-08-09 05:34 | |
The list.index implementation can be coerced into indexing past the end of ob_item. It calls PyObject_RichCompareBool (which may call into Python) in a loop, but the loop counter is only checked against a cached copy of the list size, so if the list shrinks during the comparison, the next counter value may be out of bounds. The patch includes a test case that causes unpatched Pythons to seg fault. I checked the other uses of PyObject_RichCompareBool in listobject.c, and all of them look safe (but I mostly glossed over the mergesort uses, which I'm sure have been painstakingly verified and tested by its author). (NB: The change to list_tests.py references the revision number of the post-patch listobject.c. When this is committed, please make sure that, that revision number is still current.) |
|||
| msg46590 - (view) | Author: Neal Norwitz (nnorwitz) *  |
Date: 2004-08-13 03:19 | |
Logged In: YES user_id=33168 Ouch, good catch. Thanks! Checked in as: * Objects/listobject.c 2.221 * Lib/test/list_tests.py 1.3 * Misc/NEWS 1.1086 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:06 | admin | set | github: 40721 |
| 2004-08-09 05:34:08 | ddorfman | create | |