Bugs item #1451641, was opened at 2006-03-16 20:43
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Parser/Compiler
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Kristján Valur (krisvale)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in optimize_code()
Initial Comment:
The function optimize_code() is called, for example
when unpickling code objects. However, with corrupt
data it can cause segfaults.
This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
continue;
tgt can in this case easily be some nonsense and
cause access violation when used as an index into
codestr. This behaviour has been observed.
My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen)
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)
then, adding tests such as
CHECKJUMPTGT(j);
before code that looks like
tgt = GETJUMPTGT(j);
and
CHECK_I(tgt);
before
codestr[tgt] = foo;
Also, this function needs to be able to raise an
exception. jcompile() must be able to deal with this
case.
Finally, this is also an issue in 2.3 (actually, I
discovered it there, but a quick look seems to
indicate it being a problem in 2.4 too.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
