[New-bugs-announce] [issue17190] _FAST opcodes do no range checking
Larry Hastings
report at bugs.python.org
Tue Feb 12 07:14:34 CET 2013
New submission from Larry Hastings:
The implementations for LOAD_FAST, STORE_FAST, and DELETE_FAST don't check that the index is <= the size of fastlocals. So it's a snap to crash the interpreter with hand-written bytecode, by going past the end of the fastlocals array. Kaboom!
Attached is a program that demonstrates a crash with each of LOAD_FAST, STORE_FAST, and DELETE_FAST. These all crashed 2.7, 3.2, 3.3, and a recent trunk. (Well, two exceptions: LOAD_FAST and DELETE_FAST didn't crash 3.2. Given the behavior, my suspicion is not that 3.2 is hardened, just that there's something dopey with my thrown-together test.)
It could be that this is not an interesting bug, that policy suggests that anyone who can write their own bytecode is a Consenting Adult. You tell me.
----------
components: Interpreter Core
files: crashy2.py
messages: 181944
nosy: larry
priority: normal
severity: normal
stage: needs patch
status: open
title: _FAST opcodes do no range checking
type: crash
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file29046/crashy2.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17190>
_______________________________________
More information about the New-bugs-announce
mailing list