[New-bugs-announce] [issue9236] Invalid reads in fastsearch.h

Stefan Krah report at bugs.python.org
Mon Jul 12 23:07:10 CEST 2010 

New submission from Stefan Krah <stefan-usenet at bytereef.org>:

In test_bytes Valgrind finds two reads with negative array indices.


test_bytes
==7341== Invalid read of size 1
==7341==    at 0x4EDA24: fastsearch (fastsearch.h:143)
==7341==    by 0x4F170E: bytearray_find_internal (find.h:42)
==7341==    by 0x4F17BD: bytearray_rindex (bytearrayobject.c:1267)
==7341==    by 0x49DDA0: PyEval_EvalFrameEx (ceval.c:4322)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x49D741: PyEval_EvalFrameEx (ceval.c:4108)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x49B9AB: PyEval_EvalFrameEx (ceval.c:4325)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==  Address 0xcfd37df is 1 bytes before a block of size 6 alloc'd
==7341==    at 0x4C2412C: malloc (vg_replace_malloc.c:195)
==7341==    by 0x4C241A6: realloc (vg_replace_malloc.c:476)
==7341==    by 0x4EF441: PyByteArray_Resize (bytearrayobject.c:259)
==7341==    by 0x4F0F8A: bytearray_iconcat (bytearrayobject.c:340)
==7341==    by 0x4F113E: bytearray_init (bytearrayobject.c:810)
==7341==    by 0x468531: type_call (typeobject.c:723)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x499129: PyEval_EvalFrameEx (ceval.c:4230)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341== 
==7341== 
==7341== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==7341== starting debugger with cmd: /usr/bin/gdb -nw /proc/7507/fd/1014 7507
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Attaching to program: /proc/7507/fd/1014, process 7507
fastsearch (s=0xcfd37e0 "world", n=0, p=0xa0170b4 "worm", m=4, maxcount=<value optimized out>, mode=2) at Objects/stringlib/fastsearch.h:143
143                     if (!STRINGLIB_BLOOM(mask, s[i-1]))
(gdb) p i
$1 = 0




==7341== 
==7341== Debugger has detached.  Valgrind regains control.  We continue.
==7341== Invalid read of size 1
==7341==    at 0x4ED9B0: fastsearch (fastsearch.h:149)
==7341==    by 0x4F0938: bytearray_rsplit (split.h:311)
==7341==    by 0x49E6C1: PyEval_EvalFrameEx (ceval.c:4012)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x49B9AB: PyEval_EvalFrameEx (ceval.c:4325)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x42237E: instancemethod_call (classobject.c:2578)
==7341==  Address 0xf7c508f is 1 bytes before a block of size 12 alloc'd
==7341==    at 0x4C2412C: malloc (vg_replace_malloc.c:195)
==7341==    by 0x4C241A6: realloc (vg_replace_malloc.c:476)
==7341==    by 0x4EF441: PyByteArray_Resize (bytearrayobject.c:259)
==7341==    by 0x4F0F8A: bytearray_iconcat (bytearrayobject.c:340)
==7341==    by 0x4F113E: bytearray_init (bytearrayobject.c:810)
==7341==    by 0x468531: type_call (typeobject.c:723)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341==    by 0x499129: PyEval_EvalFrameEx (ceval.c:4230)
==7341==    by 0x49E155: PyEval_EvalFrameEx (ceval.c:4098)
==7341==    by 0x49FD2A: PyEval_EvalCodeEx (ceval.c:3252)
==7341==    by 0x4FE1BE: function_call (funcobject.c:526)
==7341==    by 0x41AE8C: PyObject_Call (abstract.c:2522)
==7341== 
==7341== 
==7341== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==7341== starting debugger with cmd: /usr/bin/gdb -nw /proc/7534/fd/1014 7534
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Attaching to program: /proc/7534/fd/1014, process 7534
fastsearch (s=0xf7c5090 "mississippi", n=0, p=0x9eba16c "ss", m=2, maxcount=-1, mode=2) at Objects/stringlib/fastsearch.h:149
149                     if (!STRINGLIB_BLOOM(mask, s[i-1]))
(gdb) p i
$1 = 0

----------
components: Interpreter Core
messages: 110140
nosy: skrah
priority: normal
severity: normal
status: open
title: Invalid reads in fastsearch.h
type: behavior
versions: Python 2.7

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9236>
_______________________________________

More information about the New-bugs-announce mailing list