[New-bugs-announce] [issue23366] integer overflow in itertools.combinations

[paul]

New submission from paul:

# Bug
# ---
# 
# static PyObject *
# combinations_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
# {
#     ...
# 
# 1   indices = PyMem_Malloc(r * sizeof(Py_ssize_t));
#     ...
# 
#     for (i=0 ; i<r ; i++)
# 2       indices[i] = i;
# 
# 1. if r=2^30, then r*sizeof(Py_ssize_t)=2^30*2^2=0 (modulo 2^32), so malloc
#    allocates a 0 byte buffer
# 2. r=2^30>0, so we write well beyond the buffer's end
# 
# Crash
# -----
# 
# Breakpoint 1, combinations_new (type=0x83390c0 <combinations_type>, args=('AA', 1073741824), kwds=0x0)
#     at ./Modules/itertoolsmodule.c:2343
# 2343        PyObject *pool = NULL;
# ...
# (gdb) n
# 2362        indices = PyMem_Malloc(r * sizeof(Py_ssize_t));
# (gdb) print r
# $1 = 1073741824
# (gdb) print r*4
# $2 = 0
# (gdb) c
# Continuing.
#  
# Program received signal SIGSEGV, Segmentation fault.
# 0x0822f359 in combinations_new (type=0x83390c0 <combinations_type>, args=('AA', 1073741824), kwds=0x0)
#     at ./Modules/itertoolsmodule.c:2369
# 2369            indices[i] = i;


# OS info
# -------
# 
# % ./python -V
# Python 3.4.1
#  
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#  
 
import itertools as it
it.combinations("AA", 2**30)

----------
files: poc_combinations.py
messages: 235174
nosy: pkt
priority: normal
severity: normal
status: open
title: integer overflow in itertools.combinations
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file37965/poc_combinations.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23366>
_______________________________________