[issue13334] Erroneous Size check in _PyString_Resize
Amaury Forgeot d'Arc
report at bugs.python.org
Thu Nov 3 14:02:37 CET 2011
Amaury Forgeot d'Arc <amauryfa at gmail.com> added the comment:
Let's take an example: on a 32bit system, call
_PyString_Resize(&s, 0x7ffffff8)
Then PyStringObject_SIZE + newsize is something like -0x7ffffff8 (yes, it wraps around and is a negative number)
But when cast to an unsigned size_t (because that's what PyObject_REALLOC declares as parameter), it becomes 0x80000008, which is correct even if it is very likely to fail.
Did you experience something different?
----------
nosy: +amaury.forgeotdarc
resolution: -> invalid
status: open -> pending
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13334>
_______________________________________
More information about the Python-bugs-list
mailing list