[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Yes, adding carefully placed (size_t) casts seems like the right way to solve the problem. I've fixed all (I think) the warnings in r78183, r78184, r78189. I also fixed one case (unrelated to this issue) of potential undefined behaviour from signed overflow

[issue7788] segfault when deleting from a list using slice with very big `step' value

Marcin Bachry added the comment: I had odd problems matching line numbers reported by Windows compiler to actual sources, so I used "gcc -Wextra" to produce (even more) signedness warnings against Python 2.x r77957: listobject.c:132: warning: comparison between signed and unsigned integer ex

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: This patch is producing warnings about signed <-> unsigned comparisons on the Windows buildbots; these should be fixed. See: http://www.python.org/dev/buildbot/all/builders/x86%20XP-4%202.6/builds/781/steps/compile/logs/warnings -- priority: release

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Perfect! Applied in r77821 through r77824; thank you. -- status: open -> closed ___ Python tracker ___ ___

[issue7788] segfault when deleting from a list using slice with very big `step' value

Marcin Bachry added the comment: I attach the patch. I changed signedness in all three sequence types and made sure tests crash when run on unpatched Python. -- Added file: http://bugs.python.org/file16019/fix.diff ___ Python tracker

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Raising priority again. I'm not sure when 3.1.2 is going out, but I'd like to make sure that this issue at least gets considered before it does. -- priority: critical -> release blocker ___ Python tracker

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Great---thank you! I'll review the patch when it's ready. -- assignee: -> mark.dickinson ___ Python tracker ___ __

[issue7788] segfault when deleting from a list using slice with very big `step' value

Marcin Bachry added the comment: Yes, I can give a shot. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: htt

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Nice! Marcin, are you interested in contributing a patch that fixes the three known cases (bytearray, list, array), and also adds suitable tests? -- ___ Python tracker __

[issue7788] segfault when deleting from a list using slice with very big `step' value

Marcin Bachry added the comment: Using "grep" I found the same code in Modules/arraymodule.c: from array import array del array('i', range(10))[9::1<<333] -- ___ Python tracker

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: And judging by flox's result for bytearray, we should check all the other sequence types, too. -- stage: test needed -> needs patch ___ Python tracker

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Thanks. Yes, that fix seems to work. I also tried rewriting the suspect test as if (step >= Py_SIZE(self) - cur) but this produced a different failure: it looks like there's more than one point with potential overflow for cur. Not to mention that the 'cu

[issue7788] segfault when deleting from a list using slice with very big `step' value

Marcin Bachry added the comment: I think the expression "cur + step" in line 2660 of listobject.c (py2.7 trunk) overflows to negative value and the "if" branch isn't entered. if (cur + step >= Py_SIZE(self)) { lim = Py_SIZE(self) - cur - 1; } If I change the type of "cur" variable to

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: There's a suspicious looking test in list_ass_subscript in Objects/listobject.c: if (cur + step >= Py_SIZE(self)) { lim = Py_SIZE(self) - cur - 1; } I think what's happening here is that cur + step is overflowing, so that the test fails. --

[issue7788] segfault when deleting from a list using slice with very big `step' value

Florent Xicluna added the comment: For the record: >>> del bytearray('%%%')[1::1<<333] Segmentation fault -- ___ Python tracker ___ _

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: I don't immediately see why it would be considered a security issue. -- ___ Python tracker ___ ___ P

[issue7788] segfault when deleting from a list using slice with very big `step' value

Jan Kaliszewski added the comment: PS. Is such a data-dependant segfault considered as security problem? (if it is, maybe Python2.5 shuld be kept in "Versions" list) -- ___ Python tracker _

[issue7788] segfault when deleting from a list using slice with very big `step' value

Jan Kaliszewski added the comment: Interesting that in Py2.5... >>> del range(10)[::maxint] ...this causes segfault but in Py2.6 is ok, as well as in Py3.0 (with maxsize insetad of maxint). (That's why I didn't noticed that it concerns newer version than 2.5, and marked only 2.5). But, as E

[issue7788] segfault when deleting from a list using slice with very big `step' value

Ezio Melotti added the comment: 32bit, with sys.maxint/maxsize == 2147483647. -- ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue7788] segfault when deleting from a list using slice with very big `step' value

Mark Dickinson added the comment: Raising priority: it shouldn't be possible to crash Python this easily. Ezio, are you on a 64-bit or 32-bit system? -- priority: normal -> critical ___ Python tracker ___

[issue7788] segfault when deleting from a list using slice with very big `step' value

Changes by Florent Xicluna : -- nosy: +flox, haypo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue7788] segfault when deleting from a list using slice with very big `step' value

Changes by Mark Dickinson : -- nosy: +mark.dickinson ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail

[issue7788] segfault when deleting from a list using slice with very big `step' value

Ezio Melotti added the comment: This is what I get on trunk: Python 2.7a2+ (trunk:77754:77755, Jan 26 2010, 20:16:49) [GCC 4.4.1] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from sys import maxint >>> del range(10)[::maxint] >>> del range(10)[:-9:maxint]

[issue7788] segfault when deleting from a list using slice with very big `step' value

Jan Kaliszewski added the comment: ** Erratum ** -- was: del list_instance([start : stop : very_big_step]) causes segfaults... -- should be: del list_instance[start : stop : very_big_step] causes segfaults... ** Post scriptum ** In each example only the last statement causes segmentation fault

[issue7788] segfault when deleting from a list using slice with very big `step' value

New submission from Jan Kaliszewski : del list_instance([start : stop : very_big_step]) causes segfaults... The boundary values seem to be: * start -- near length of the list * stop -- near (-length) of the list * very_big_step -- near sys.maxint Let examples speak... >>> from sys import maxin