[issue22939] integer overflow in iterator object
Clement Rouault
report at bugs.python.org
Tue Nov 25 11:56:33 CET 2014
New submission from Clement Rouault:
I found an interger overflow in the standard iterator object (Objects/iterobject.c)
The `it_index` attribute used by the iterator is a `Py_ssize_t` but overflow is never checked. So after the index `PY_SSIZE_T_MAX`, the iterator object will ask for the index `PY_SSIZE_T_MIN`.
Here is an example:
import sys
class Seq:
def __getitem__(self, item):
print("[-] Asked for item at <{0}>".format(item))
return 0
s = Seq()
i = iter(s)
# Manually set `it_index` to PY_SSIZE_T_MAX without a loop
i.__setstate__(sys.maxsize)
next(i)
[-] Asked for item at <9223372036854775807>
next(i)
[-] Asked for item at <-9223372036854775808>
I would be really interested in writing a patch but first I wanted to discuss the expected behaviour and fix.
The iterator could stop after `PY_SSIZE_T_MAX` but it seems strange as other iterator (like `enumobject`) handle values bigger than `PY_SSIZE_T_MAX`.
Or the same technique used in `enumobject` could be used: adding a field `PyObject* en_longindex` (a python long) which would be used for values bigger than `PY_SSIZE_T_MAX`
----------
components: Interpreter Core
messages: 231651
nosy: hakril
priority: normal
severity: normal
status: open
title: integer overflow in iterator object
type: behavior
versions: Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22939>
_______________________________________
More information about the Python-bugs-list
mailing list