[ python-Bugs-1077106 ] Negative numbers to os.read() cause segfault
SourceForge.net
noreply at sourceforge.net
Sat Dec 4 05:29:42 CET 2004
Bugs item #1077106, was opened at 2004-12-01 16:40
Message generated for change (Comment added) made by rhettinger
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1077106&group_id=5470
Category: Python Interpreter Core
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Jp Calderone (kuran)
Assigned to: Nobody/Anonymous (nobody)
Summary: Negative numbers to os.read() cause segfault
Initial Comment:
Python 2.3.4 (#2, Sep 24 2004, 08:39:09)
[GCC 3.3.4 (Debian 1:3.3.4-12)] on linux2
Type "help", "copyright", "credits" or "license" for
more information.
>>> import sys, os
>>> stdin = sys.stdin.fileno()
>>> os.read(stdin, 0)
''
>>> os.read(stdin, 0)
''
>>> os.read(stdin, -1)
asdkljasd
'asdk\x01\x00\x00\x00\x00\x00'
>>> os.read(stdin, 100)
Segmentation fault
exarkun at boson:~$
This problem persists in Python 2.4, although the
resulting incorrect behavior differs slightly (at least
on my build), as is to be expected of a memory
corrupting bug.
Note that the value returned from os.read(stdin, -1) is
incorrect in addition to the subsequent read segfaulting.
----------------------------------------------------------------------
>Comment By: Raymond Hettinger (rhettinger)
Date: 2004-12-03 23:29
Message:
Logged In: YES
user_id=80475
In both Py2.3.4 and Py2.4, I get the following correct
behavior on WinME:
>>> os.read(si, -1)
Traceback (most recent call last):
File "<stdin>", line 1, in ?
OSError: [Errno 22] Invalid argument
----------------------------------------------------------------------
Comment By: James Y Knight (foom)
Date: 2004-12-01 18:11
Message:
Logged In: YES
user_id=1104715
This appears to be because PyString_FromStringAndSize takes a signed int
for size, doesn't verify that it is > 0, and then adds it to
sizeof(PyStringObject):
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) +
size);
PyObject_MALLOC will fail if given a < 0 size, but, if size is >
-sizeof(PyStringObject), the object will be allocated, but too small. Then,
memory gets clobbered.
If it returned NULL like it should, posix_read's error handling would be
fine.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1077106&group_id=5470
More information about the Python-bugs-list
mailing list