Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Description
Jordan Limor reported an issue in the C list_resize() function called when a Python list is resized:
When list_resize is hit with the maximum value for a c_ssize_t, the
overallocation strategy causes an overflow in the total allocated bytes.
This results in a call to PyMem_Realloc where the argument is 0 (and one
byte is allocated), but the resulting list's size is set to PY_SSIZE_T_MAX.
Examplebug.py:
importsysimportfaulthandler;faulthandler.enable()x=[0]*65delx[1:]assertlen(x)==1print("resize list",flush=True)max_size= ((2** (tuple.__itemsize__*8)-1)//2)x*=max_sizeprint(f"{len(x)=}")print(f"{sys.getsizeof(x)=}")# crash on reading uninitizalized memoryprint("x[8]=",end="",flush=True)print(x[8])
Output:
$ python3.10 bug.py resize listFatal Python error: Segmentation faultCurrent thread 0x00007fe16ead0740 (most recent call first): File "bug.py", line 10 in <module>Erreur de segmentation (core dumped)