New submission from Ross Lagerwall <rosslagerw...@gmail.com>:
The fix for issue10916 commited in r88022 introduces this line:
map_size = st.st_size - offset;
If offset > st.st_size, map_size is negative. This should cause the mmap system
call to return -1 and set errno.
However, given a certain size of offset, since map_size is unsigned it will
give a very large map_size and access the resultant mmap object results in a
bus error crash. It also gives bogus len(mmap) values.
Eg (crashes on a 32bit system):
import os, mmap
with open("/tmp/rnd", "wb") as f:
f.write(b"X" * 115699)
with open("/tmp/rnd", "w+b") as f:
with mmap.mmap(f.fileno(), 0, offset=2147479552) as m:
print(len(m))
for i in m:
print(m[i])
Attached is a patch which should fix this issue by raising a value error if
offset > st.st_size.
----------
files: mmap_issue.patch
keywords: patch
messages: 126629
nosy: amaury.forgeotdarc, pitrou, rosslagerwall
priority: normal
severity: normal
status: open
title: mmap crash
type: crash
versions: Python 2.7, Python 3.1, Python 3.2
Added file: http://bugs.python.org/file20466/mmap_issue.patch
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue10959>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
