[issue42609] Eval with too high string multiplication crashes newer Python versions
Steve Stagg
report at bugs.python.org
Thu Dec 10 16:34:01 EST 2020
Steve Stagg <stestagg at gmail.com> added the comment:
In python 3.7/8, It's a stack overflow in the constant folding code.
On master, the overflow seems to come out of validate_expr.c.
* thread #1, name = 'python3', stop reason = signal SIGSEGV: invalid address (fault address: 0x7fffff7feff8)
frame #0: 0x00005555557aadba python3`validate_expr(exp=0x00005555602617c0, ctx=Load) at ast.c:224:16
221 }
222 return validate_exprs(exp->v.BoolOp.values, Load, 0);
223 case BinOp_kind:
-> 224 return validate_expr(exp->v.BinOp.left, Load) &&
225 validate_expr(exp->v.BinOp.right, Load);
226 case UnaryOp_kind:
227 return validate_expr(exp->v.UnaryOp.operand, Load);
300,000 ish stack frames of this:
frame #70832: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150af40, ctx=Load) at ast.c:224:16
frame #70833: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b050, ctx=Load) at ast.c:224:16
frame #70834: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b160, ctx=Load) at ast.c:224:16
frame #70835: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b270, ctx=Load) at ast.c:224:16
frame #70836: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b380, ctx=Load) at ast.c:224:16
frame #70837: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b490, ctx=Load) at ast.c:224:16
frame #70838: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b5a0, ctx=Load) at ast.c:224:16
frame #70839: 0x00005555557aadbf python3`validate_expr(exp=0x000055556150b6b0, ctx=Load) at ast.c:224:16
On the one hand, pure python code should never segfault, on the other hand, `eval`ling untrusted input has bigger problems than a segfault on carefully crafted input.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42609>
_______________________________________
More information about the Python-bugs-list
mailing list