[issue23363] integer overflow in itertools.permutations
paul
report at bugs.python.org
Sun Feb 1 14:54:13 CET 2015
New submission from paul:
# Bug
# ---
#
# static PyObject *
# permutations_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
# {
# ...
# 1 cycles = PyMem_Malloc(r * sizeof(Py_ssize_t));
# ...
# for (i=0 ; i<r ; i++)
# 2 cycles[i] = n - i;
#
# 1. if r=2^30, then r*sizeof(Py_ssize_t)=2^30*2^2=0 (modulo 2^32), so malloc
# allocates a 0 byte buffer
# 2. r=2^30>0, so we write well beyond the buffer's end
#
# Crash
# -----
#
# Breakpoint 1, permutations_new (type=0x83394e0 <permutations_type>, args=('A', 1073741824), kwds=0x0) at ./Modules/itertoolsmodule.c:3012
# ...
# 3044 indices = PyMem_Malloc(n * sizeof(Py_ssize_t));
# (gdb) print r
# $2 = 1073741824
# (gdb) print r*4
# $3 = 0
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x08230900 in permutations_new (type=0x83394e0 <permutations_type>, args=('A', 1073741824), kwds=0x0) at ./Modules/itertoolsmodule.c:3054
# 3054 cycles[i] = n - i;
#
# OS info
# -------
#
# % ./python -V
# Python 3.4.1
#
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#
import itertools as it
it.permutations("A", 2**30)
----------
files: poc_permutations.py
messages: 235170
nosy: pkt
priority: normal
severity: normal
status: open
title: integer overflow in itertools.permutations
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file37962/poc_permutations.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23363>
_______________________________________
More information about the Python-bugs-list
mailing list