[issue13496] bisect module: Overflow at index computation

Daniel Sturm report at bugs.python.org
Mon Nov 28 23:34:32 CET 2011

New submission from Daniel Sturm <voodoon42 at gmail.com>:

The mid index computation in _bisectmodule.c in both internal_bisect_right and internal_bisect_left is done with:

mid = (lo + hi) / 2; // all three variables Py_ssize_t

which is  susceptible to overflows for large arrays, which would lead to undefined behavior (and in practice almost certainly a crash with a negative index)

The fix is trivial - mid = lo + (hi - lo) / 2; - but since I'm just starting to look into the code base I may be missing some undocumented assertions that guarantee this can't happen.

components: Extension Modules
messages: 148517
nosy: Voo
priority: normal
severity: normal
status: open
title: bisect module: Overflow at index computation
type: behavior
versions: Python 3.4

Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list