Bug#940679: cython3: generated code does out of bounds reads in with-dict (subclass of) cdef class
Rebecca N. Palmer
rebecca_palmer at zoho.com
Fri Sep 27 20:32:32 BST 2019
Control: reassign -1 cython3
Control: affects -1 python3-pandas python3-skimage
Control: tags -1 fixed-upstream
Control: retitle -1: cython3: generated code does out of bounds reads in with-dict (subclass of) cdef class
No, it is a proper Timedelta-sized space (144 bytes, not a _Timedelta's
128). The bug is that Cython is treating the tp_dictoffset slot (128
bytes from the start of Timedelta) as the *start of* a PyDictObject (48
bytes, so won't fit here) when it's actually a *pointer to* the
PyDictObject.
This only happens when tp_dictoffset is nonzero, i.e. either a cdef
class with an instance dict (non-default but allowed), or a normal
Python class inheriting from a cdef class.
This appears to be fixed upstream (though they only seem to have noticed
that they weren't checking whether the pointer was NULL, not that they
weren't treating it as a pointer at all):
https://github.com/cython/cython/commit/253c25a902aef2c54de31baa22af73d0dbad2a06#diff-32655df5c2097cca93b52a2ff7583bef
I haven't checked whether this patch can be applied to our Cython
version. As it has been released upstream and there is already a
request for the new upstream version (#941021), packaging this is
probably a better use of time.
More information about the debian-science-maintainers
mailing list