[issue42609] Eval with too high string multiplication crashes newer Python versions

Steve Stagg report at bugs.python.org
Thu Dec 10 16:34:01 EST 2020 

Steve Stagg <stestagg at gmail.com> added the comment:

In python 3.7/8, It's a stack overflow in the constant folding code.

On master, the overflow seems to come out of validate_expr.c.

* thread #1, name = 'python3', stop reason = signal SIGSEGV: invalid address (fault address: 0x7fffff7feff8)
    frame #0: 0x00005555557aadba python3`validate_expr(exp=0x00005555602617c0, ctx=Load) at ast.c:224:16
   221          }
   222          return validate_exprs(exp->v.BoolOp.values, Load, 0);
   223      case BinOp_kind:
-> 224          return validate_expr(exp->v.BinOp.left, Load) &&
   225              validate_expr(exp->v.BinOp.right, Load);
   226      case UnaryOp_kind:
   227          return validate_expr(exp->v.UnaryOp.operand, Load);


300,000 ish stack frames of this:

    frame #70832: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150af40, ctx=Load) at ast.c:224:16
    frame #70833: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b050, ctx=Load) at ast.c:224:16
    frame #70834: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b160, ctx=Load) at ast.c:224:16
    frame #70835: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b270, ctx=Load) at ast.c:224:16
    frame #70836: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b380, ctx=Load) at ast.c:224:16
    frame #70837: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b490, ctx=Load) at ast.c:224:16
    frame #70838: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b5a0, ctx=Load) at ast.c:224:16
    frame #70839: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b6b0, ctx=Load) at ast.c:224:16


On the one hand, pure python code should never segfault, on the other hand, `eval`ling untrusted input has bigger problems than a segfault on carefully crafted input.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42609>
_______________________________________

More information about the Python-bugs-list mailing list