Martin Panter added the comment:
Not particularly related, but the special fast case in
Objects/listobject.c:811, listextend(), also seems to lack an overflow check.
“An alternative would be to raise the error without trying to allocate
Py_SSIZE_T_MAX first”: what I meant was removing the special case to allocate
PY_SSIZE_T_MAX. As soon as it attempts to overallocate 2+ GiB of memory it
fails. Something more like
addition = len >> 1;
if (addition > PY_SSIZE_T_MAX - len - 1) {
/* . . . */
return PyErr_NoMemory();
}
buf_size = len + addition;
Antti: in this case we are allocating an array of _bytes_, not pointers. So
maybe it is possible to reach the limit with a 32-bit address space.
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27507>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
