gh-134070: Prevent out-of-bounds read in mi_clz32 and mi_ctz32#134149
gh-134070: Prevent out-of-bounds read in mi_clz32 and mi_ctz32#134149vedant713 wants to merge 8 commits intopython:mainfrom
Conversation
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
ZeroIntensity
left a comment
There was a problem hiding this comment.
Please add a test and blurb.
|
FYI, this code is from https://github.com/microsoft/mimalloc. You might want to send a pull request there too. |
|
It's said to be fixed in microsoft/mimalloc@ed31847. |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Please, stop updating two PRs at the same time. See https://devguide.python.org/getting-started/pull-request-lifecycle/. I am going to close the other PR as it only contains the NEWS entry. In addition, please do not merge main into this branch if there is no conflict. TiA. |
|
I'm trying to add via heroku app but giving server error |
|
I never used the app, so I'd suggest using the command-line instead: python -m pip install blurb
python -m blurb
git commit -m 'blurb' |
|
@picnixz Thanks for checking. Somehow I missed that commit in mimalloc. |
|
I think we should copy-paste the change from upstream instead of doing a similar (but not identical) fix here. In other words, copy this code from upstream (from the fix commit) into our |
|
@vedant713 Are you still working on this one? |
Fixes GH-134070
Summary:
This patch adds a masking operation to the index calculation in
mi_ctz32()andmi_clz32()functions to prevent out-of-bounds access on 64-bit systems, matching the fix from upstream mimalloc.Why:
On systems where
unsigned longis 64-bit, the multiplication may produce a value >31, causing a read outside the array bounds.