[ python-Bugs-1451641 ] segfault in optimize_code()
SourceForge.net
noreply at sourceforge.net
Fri Mar 17 00:14:39 CET 2006
Bugs item #1451641, was opened at 2006-03-16 20:43
Message generated for change (Comment added) made by mwh
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Parser/Compiler
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Kristján Valur (krisvale)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in optimize_code()
Initial Comment:
The function optimize_code() is called, for example
when unpickling code objects. However, with corrupt
data it can cause segfaults.
This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
continue;
tgt can in this case easily be some nonsense and
cause access violation when used as an index into
codestr. This behaviour has been observed.
My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen)
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)
then, adding tests such as
CHECKJUMPTGT(j);
before code that looks like
tgt = GETJUMPTGT(j);
and
CHECK_I(tgt);
before
codestr[tgt] = foo;
Also, this function needs to be able to raise an
exception. jcompile() must be able to deal with this
case.
Finally, this is also an issue in 2.3 (actually, I
discovered it there, but a quick look seems to
indicate it being a problem in 2.4 too.
----------------------------------------------------------------------
>Comment By: Michael Hudson (mwh)
Date: 2006-03-16 23:14
Message:
Logged In: YES
user_id=6656
I don't *think* optimize_code is called for unmarshalled code objects any more
(i.e. in 2.4 and 2.5/SVN HEAD). But I could be wrong.
If not, and so optimize_code is only called with code freshly generated from the
compiler, this isn't really an issue, is it?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470
More information about the Python-bugs-list
mailing list