[ python-Bugs-1451641 ] segfault in optimize_code()

SourceForge.net noreply at sourceforge.net
Fri Mar 17 00:14:39 CET 2006 

Bugs item #1451641, was opened at 2006-03-16 20:43
Message generated for change (Comment added) made by mwh
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Parser/Compiler
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Kristján Valur (krisvale)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in optimize_code()

Initial Comment:
The function optimize_code() is called, for example 
when unpickling code objects.  However, with corrupt 
data it can cause segfaults.

This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
    continue;

tgt can in this case easily be some nonsense and 
cause access violation when used as an index into 
codestr.  This behaviour has been observed.

My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen) 
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)

then, adding tests such as
CHECKJUMPTGT(j);
  before code that looks like
tgt = GETJUMPTGT(j);
  and
CHECK_I(tgt);
  before
codestr[tgt] = foo;

Also, this function needs to be able to raise an 
exception.  jcompile() must be able to deal with this 
case.

Finally, this is also an issue in 2.3 (actually, I 
discovered it there, but a quick look seems to 
indicate it being a problem in 2.4 too.



----------------------------------------------------------------------

>Comment By: Michael Hudson (mwh)
Date: 2006-03-16 23:14

Message:
Logged In: YES 
user_id=6656

I don't *think* optimize_code is called for unmarshalled code objects any more 
(i.e. in 2.4 and 2.5/SVN HEAD).  But I could be wrong.

If not, and so optimize_code is only called with code freshly generated from the 
compiler, this isn't really an issue, is it?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470

More information about the Python-bugs-list mailing list