Josh Rosenberg <shadowranger+pyt...@gmail.com> added the comment:
Your analysis would be (almost) correct if a slice object could have a stop
value of NULL. It's wrong in that the error would be a NULL deference, not a
silent use of an uninitialized value, but it would be a bug. In your scenario
where v == NULL, it would pass the test for v != Py_None, then call
PyIndex_Check(v), and since the macro doesn't check for the passed value being
NULL, it would perform a NULL deference.
But even that's not possible; PySlice_New (which is ultimately responsible for
all slice construction) explicitly replaces any argument of NULL with Py_None,
so there is no such thing as a slice with *any* value being NULL.
So since r->stop is definitely non-NULL, either:
1. It's None, PySlice_Unpack line 232 executes, and stop is initialized
or
2. It's non-None, _PyEval_SliceIndex is called with a v that is definitely not
None and non-NULL, so it always enters the `if (v != Py_None) {` block, and
either it received a value index integer, in which case it initializes *pi (aka
stop) and returns 1 (success), or returns 0 (failure), which means stop is
never used.
The only way you could trigger your bug is to make a slice with an actual NULL
for its stop value (and as noted, the bug would be a NULL dereference in
PyIndex_Check, not a use of an uninitialized value, because v != Py_None would
return true for v == NULL), which is only possible through intentionally
misusing PySliceObject (reaching in and tweaking values of the struct
directly). And if you can do that, you're already a C extension (or ctypes
code) and can crash the interpreter any number of ways without resorting to
this level of complexity.
----------
nosy: +josh.r
resolution: -> not a bug
stage: -> resolved
status: open -> closed
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue35842>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
