diff options
author | Tim Peters <tim.peters@gmail.com> | 2001-05-19 07:04:38 (GMT) |
---|---|---|
committer | Tim Peters <tim.peters@gmail.com> | 2001-05-19 07:04:38 (GMT) |
commit | 91a364df173a03c9ab7219aa23b950b072c580f3 (patch) | |
tree | 1fe8167906c5650b275bc89c5db04aef89dd7d25 /Objects | |
parent | acb117eb111f4f6d0f6e7942357e7c3afe6b70f7 (diff) | |
download | cpython-91a364df173a03c9ab7219aa23b950b072c580f3.zip cpython-91a364df173a03c9ab7219aa23b950b072c580f3.tar.gz cpython-91a364df173a03c9ab7219aa23b950b072c580f3.tar.bz2 |
Bugfix candidate.
Two exceedingly unlikely errors in dictresize():
1. The loop for finding the new size had an off-by-one error at the
end (could over-index the polys[] vector).
2. The polys[] vector ended with a 0, apparently intended as a sentinel
value but never used as such; i.e., it was never checked, so 0 could
have been used *as* a polynomial.
Neither bug could trigger unless a dict grew to 2**30 slots; since that
would consume at least 12GB of memory just to hold the dict pointers,
I'm betting it's not the cause of the bug Fred's tracking down <wink>.
Diffstat (limited to 'Objects')
-rw-r--r-- | Objects/dictobject.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/Objects/dictobject.c b/Objects/dictobject.c index b465a21..f6f9c96 100644 --- a/Objects/dictobject.c +++ b/Objects/dictobject.c @@ -47,7 +47,6 @@ static long polys[] = { 268435456 + 9, 536870912 + 5, 1073741824 + 83, - 0 }; /* Object used as dummy key to fill deleted entries */ @@ -373,8 +372,10 @@ dictresize(dictobject *mp, int minused) register dictentry *newtable; register dictentry *ep; register int i; + + assert(minused >= 0); for (i = 0, newsize = MINSIZE; ; i++, newsize <<= 1) { - if (i > sizeof(polys)/sizeof(polys[0])) { + if (i >= sizeof(polys)/sizeof(polys[0])) { /* Ran out of polynomials */ PyErr_NoMemory(); return -1; |