djsundog/circuitpython
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

py/objarray: Raise error on out-of-bound memoryview slice start.

Browse Source 
32-bit platforms only support a slice offset start of 24 bit max due to the
limited size of the mp_obj_array_t.free member.  Similarly on 64-bit
platforms the limit is 56 bits.

This commit adds an OverflowError if the user attempts to slice a
memoryview beyond this limit.

Signed-off-by: Damien George <damien@micropython.org>
This commit is contained in:
Andrew Leech 2022-08-07 16:24:37 +10:00 committed by Damien George
parent d6bc34a13a
commit 5c4153ea37
4 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
py/objarray.c
View File

@ -53,6 +53,7 @@
#if MICROPY_PY_BUILTINS_MEMORYVIEW #if MICROPY_PY_BUILTINS_MEMORYVIEW
#define TYPECODE_MASK (0x7f) #define TYPECODE_MASK (0x7f)
#define memview_offset free #define memview_offset free
#define memview_offset_max ((1LL << MP_OBJ_ARRAY_FREE_SIZE_BITS) - 1)
#else #else
// make (& TYPECODE_MASK) a null operation if memorview not enabled // make (& TYPECODE_MASK) a null operation if memorview not enabled
#define TYPECODE_MASK (~(size_t)0) #define TYPECODE_MASK (~(size_t)0)
@ -522,6 +523,9 @@ STATIC mp_obj_t array_subscr(mp_obj_t self_in, mp_obj_t index_in, mp_obj_t value
assert(sz > 0); assert(sz > 0);
#if MICROPY_PY_BUILTINS_MEMORYVIEW #if MICROPY_PY_BUILTINS_MEMORYVIEW
if (o->base.type == &mp_type_memoryview) { if (o->base.type == &mp_type_memoryview) {
if (slice.start > memview_offset_max) {
mp_raise_msg(&mp_type_OverflowError, MP_ERROR_TEXT("memoryview offset too large"));
}
res = m_new_obj(mp_obj_array_t); res = m_new_obj(mp_obj_array_t);
*res = *o; *res = *o;
res->memview_offset += slice.start; res->memview_offset += slice.start;

5
py/objarray.h
View File

@ -32,6 +32,9 @@
// Used only for memoryview types, set in "typecode" to indicate a writable memoryview // Used only for memoryview types, set in "typecode" to indicate a writable memoryview
#define MP_OBJ_ARRAY_TYPECODE_FLAG_RW (0x80) #define MP_OBJ_ARRAY_TYPECODE_FLAG_RW (0x80)
// Bit size used for mp_obj_array_t.free member.
#define MP_OBJ_ARRAY_FREE_SIZE_BITS (8 * sizeof(size_t) - 8)
// This structure is used for all of bytearray, array.array, memoryview // This structure is used for all of bytearray, array.array, memoryview
// objects. Note that memoryview has different meaning for some fields, // objects. Note that memoryview has different meaning for some fields,
// see comment at the beginning of objarray.c. // see comment at the beginning of objarray.c.
@ -44,7 +47,7 @@ typedef struct _mp_obj_array_t {
// parent object. (Union is not used to not go into a complication of // parent object. (Union is not used to not go into a complication of
// union-of-bitfields with different toolchains). See comments in // union-of-bitfields with different toolchains). See comments in
// objarray.c. // objarray.c.
size_t free : (8 * sizeof(size_t) - 8); size_t free : MP_OBJ_ARRAY_FREE_SIZE_BITS;
size_t len; // in elements size_t len; // in elements
void *items; void *items;
} mp_obj_array_t; } mp_obj_array_t;

27
tests/basics/memoryview_slice_size.py Normal file
View File

@ -0,0 +1,27 @@
# test memoryview slicing beyond the limit of what memoryview can internally index
try:
from sys import maxsize
from uctypes import bytearray_at
memoryview
except:
print("SKIP")
raise SystemExit
if maxsize <= 0xFFFF_FFFF:
slice_max = 0xFF_FFFF
else:
slice_max = 0xFF_FFFF_FFFF_FFFF
buf = bytearray_at(0, slice_max + 2)
mv = memoryview(buf)
# this should work
print(mv[slice_max : slice_max + 1])
# this should overflow the internal index for memoryview slicing
try:
print(mv[slice_max + 1 : slice_max + 2])
except OverflowError:
print("OverflowError")

2
tests/basics/memoryview_slice_size.py.exp Normal file
View File

@ -0,0 +1,2 @@
<memoryview>
OverflowError