[Python-Dev] What do we do about bad slicing and possible crashes (issue 27867)

Terry Reedy tjreedy at udel.edu
Sat Aug 27 18:25:40 EDT 2016

Slicing can be made to malfunction and even crash with an 'evil' 
__index__ method. https://bugs.python.org/issue27867

The crux of the problem is this: PySlice_GetIndicesEx
receives a slice object and a sequence length.  Calling __index__ on the 
start, stop, and step components can mutate the sequence and invalidate 
the length.  Adjusting the int values of start and stop according to an 
invalid length (in particular, one that is too long) will result in 
invalid results or a crash.

Possible actions -- very briefly.  For more see end of
https://bugs.python.org/issue27867?@ok_message=msg 273801
0. Do nothing.
1. Detect length change and raise.
2. Retrieve length after any possible changes and proceed as normal.

Possible implementation strategies for 1. and 2.
A. Change all functions that call PySlice_GetIndicesEx.
B. Add PySlice_GetIndicesEx2 (or ExEx?), which would receive *collection 
instead of length, so the length could be retrieved after the __index__ 
calls.  Change calls. Deprecate PySlice_GetIndicesEx.

Which of the 4 possible patches, if any, would be best?
I personally prefer 2B.

And what versions should be patched?

Terry Jan Reedy

More information about the Python-Dev mailing list