From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 30 Mar 2012 12:45:25 +0000 (-0400)
Subject: Added a new crasher that targets mutating the underlying storage of a buffer.  All... 
X-Git-Tag: v2.7.4rc1~937
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=afa2e470db4ecb1e2a2ddd8dc3ba98eb6314edc9;p=python

Added a new crasher that targets mutating the underlying storage of a buffer.  All work done by Armin Rigo.
---

diff --git a/Lib/test/crashers/buffer_mutate.py b/Lib/test/crashers/buffer_mutate.py
new file mode 100644
index 0000000000..d68d7cc0fc
--- /dev/null
+++ b/Lib/test/crashers/buffer_mutate.py
@@ -0,0 +1,30 @@
+#
+# The various methods of bufferobject.c (here buffer_subscript()) call
+# get_buf() before calling potentially more Python code (here via
+# PySlice_GetIndicesEx()).  But get_buf() already returned a void*
+# pointer.  This void* pointer can become invalid if the object
+# underlying the buffer is mutated (here a bytearray object).
+#
+# As usual, please keep in mind that the three "here" in the sentence
+# above are only examples.  Each can be changed easily and lead to
+# another crasher.
+#
+# This crashes for me on Linux 32-bits with CPython 2.6 and 2.7
+# with a segmentation fault.
+#
+
+
+class PseudoIndex(object):
+    def __index__(self):
+        for c in "foobar"*n:
+            a.append(c)
+        return n * 4
+
+
+for n in range(1, 100000, 100):
+    a = bytearray("test"*n)
+    buf = buffer(a)
+
+    s = buf[:PseudoIndex():1]
+    #print repr(s)
+    #assert s == "test"*n