From 91a364df173a03c9ab7219aa23b950b072c580f3 Mon Sep 17 00:00:00 2001 From: Tim Peters Date: Sat, 19 May 2001 07:04:38 +0000 Subject: Bugfix candidate. Two exceedingly unlikely errors in dictresize(): 1. The loop for finding the new size had an off-by-one error at the end (could over-index the polys[] vector). 2. The polys[] vector ended with a 0, apparently intended as a sentinel value but never used as such; i.e., it was never checked, so 0 could have been used *as* a polynomial. Neither bug could trigger unless a dict grew to 2**30 slots; since that would consume at least 12GB of memory just to hold the dict pointers, I'm betting it's not the cause of the bug Fred's tracking down . --- Objects/dictobject.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Objects/dictobject.c b/Objects/dictobject.c index b465a21..f6f9c96 100644 --- a/Objects/dictobject.c +++ b/Objects/dictobject.c @@ -47,7 +47,6 @@ static long polys[] = { 268435456 + 9, 536870912 + 5, 1073741824 + 83, - 0 }; /* Object used as dummy key to fill deleted entries */ @@ -373,8 +372,10 @@ dictresize(dictobject *mp, int minused) register dictentry *newtable; register dictentry *ep; register int i; + + assert(minused >= 0); for (i = 0, newsize = MINSIZE; ; i++, newsize <<= 1) { - if (i > sizeof(polys)/sizeof(polys[0])) { + if (i >= sizeof(polys)/sizeof(polys[0])) { /* Ran out of polynomials */ PyErr_NoMemory(); return -1; -- cgit v0.12