[ python-Bugs-1451641 ] segfault in optimize_code()

SourceForge.net noreply at sourceforge.net
Fri Mar 17 00:27:44 CET 2006 

Bugs item #1451641, was opened at 2006-03-16 15:43
Message generated for change (Comment added) made by rhettinger
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Parser/Compiler
Group: Python 2.4
>Status: Closed
>Resolution: Invalid
Priority: 5
Submitted By: Kristján Valur (krisvale)
Assigned to: Nobody/Anonymous (nobody)
Summary: segfault in optimize_code()

Initial Comment:
The function optimize_code() is called, for example 
when unpickling code objects.  However, with corrupt 
data it can cause segfaults.

This is because of code such as:
tgt = GETJUMPTGT(codestr, (i+1))
if (codestr[tgt])
    continue;

tgt can in this case easily be some nonsense and 
cause access violation when used as an index into 
codestr.  This behaviour has been observed.

My particular patch is this:
#define CHECK_I(i) do {if ((i)<0 || (i)>=codelen) 
goto exitError;}while(0)
#define CHECKARG(i) do {CHECK_I(i+1); CHECK_I(i+2);}
while(0)
#define CHECKJUMPTGT(i) do{CHECKARG(i); CHECK_I(i);}
while(0)

then, adding tests such as
CHECKJUMPTGT(j);
  before code that looks like
tgt = GETJUMPTGT(j);
  and
CHECK_I(tgt);
  before
codestr[tgt] = foo;

Also, this function needs to be able to raise an 
exception.  jcompile() must be able to deal with this 
case.

Finally, this is also an issue in 2.3 (actually, I 
discovered it there, but a quick look seems to 
indicate it being a problem in 2.4 too.



----------------------------------------------------------------------

>Comment By: Raymond Hettinger (rhettinger)
Date: 2006-03-16 18:27

Message:
Logged In: YES 
user_id=80475

For 2.4, Michael is correct and the optimizer only applied 
to internally generated code.

Also, FWIW, in Py2.5, I'm planning to move the optimizer 
to appear before the assembler instead of after -- this 
will both speed it up and simplify it.

Also, discussions on python-dev have noted that there are 
a number of ways to make bad things happen if you execute 
corrupt byte-code.  IIRC, there is a proposal for a Java 
style byte-code verifier to be put in place someday.

----------------------------------------------------------------------

Comment By: Michael Hudson (mwh)
Date: 2006-03-16 18:14

Message:
Logged In: YES 
user_id=6656

I don't *think* optimize_code is called for unmarshalled code objects any more 
(i.e. in 2.4 and 2.5/SVN HEAD).  But I could be wrong.

If not, and so optimize_code is only called with code freshly generated from the 
compiler, this isn't really an issue, is it?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1451641&group_id=5470

More information about the Python-bugs-list mailing list