gh-127971: fix off-by-one read beyond the end of a string during search #132574
Conversation
Fix off-by-one read beyond the end of a string.
Objects/stringlib/fastsearch.h
Outdated
| @@ -595,7 +595,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n, | |||
| continue; | |||
| } | |||
| /* miss: check if next character is part of pattern */ | |||
| if (!STRINGLIB_BLOOM(mask, ss[i+1])) { | |||
| if (i < w && !STRINGLIB_BLOOM(mask, ss[i+1])) { | |||
There was a problem hiding this comment.
I'm totally not sure that else branch is appropiate here for 'i == w2.
Even since we have i > w for this m this logic isn't clear for me.
What about simple replacement i <= w for loop condition with classical i < w?
It could be enough and cleaner.
There was a problem hiding this comment.
I think the else branch will be OK, since all it does is advance the index, and it is intended and expected that this could potentially advance it past the end of the string, in which case the for loop will terminate.
We can't just replace the the loop condition with i < w since the w here is the last valid index that the pattern could appear at, and needs to be checked. Otherwise we would miss valid matches, and indeed such a change breaks a large number of unit tests.
Note the conditionals that were changed are miss conditions, i.e. the algorithm has determined the character at the index cannot be part of the pattern at this location in the string. The conditionals modified are checking whether the following character could potentially be part of a pattern hit, so as to determine whether to skip it entirely by advancing the full length of the pattern or only as much as possible while still considering it as a valid potential hit. In the case where we are at the end of the buffer it doesn't actually matter which branch we take, since either way it will advance past it and terminate. We just need to avoid reading the invalid following character when it doesn't exist.
There was a problem hiding this comment.
Maybe it's better to rewrite condition as i+1 <= w? It seems to be more obvious way of checking for me.
It's very similar to "for" condition, but for another argument and before direct using of i+1 as index.
... the
where is the last valid index that the pattern could appear at
IMO, rewrited condition slightly reduces cognitive load.
|
I'm not at all an expert in this code, so I've tried to apply your patch by myself. But I suggest some changes. |
I have been hesitant to ping specific developers, as I don't want to annoy people or violate etiquette, but if you think it would be appropriate there are a couple of devs who have worked on this code frequently and/or recently I could tag in?
That is an excellent find, thanks! Agreed: I'll investigate, try to get a test that reproduces the issue there also, and fix it. |
|
I've just used |
|
I can trigger the off-by-one reads in the adaptive algorithm easily enough, but I haven't been able to get it to cause an ASAN error as yet, so no luck so far on a test for that. The third variant, /* miss: check if previous character is part of pattern */
if (i > 0 && !STRINGLIB_BLOOM(mask, s[i-1])) {
i = i - m;
}
else {
i = i - skip;
}
}
else {
/* skip: check if previous character is part of pattern */
if (i > 0 && !STRINGLIB_BLOOM(mask, s[i-1])) {
i = i - m;
}
}
} |
|
Does IMO, we can add check and tests for |
|
Looking closer at Presumably the extra clause in the conditional has some measurable performance impact, however slight, and given the input string minimum length requirements it will likely add up to much more than would be saved by avoiding one unnecessary character read. So, perhaps we shouldn't add it to Nonetheless, I'll push out an update to this that adds an |
…asons for and limitations of the tests.
|
I suggest to slightly rewrite But those are only cosmetical changes, in other aspects LGTM. |
…mment explaining why a guard is not necessary in adaptive_find.
Sure thing, will update, thanks! |
| start in. I.e. if i == w it is safe to read ss[i + 1] since the | ||
| input and pattern length requirements on when this variant | ||
| algorithm will be called ensure it will always be a valid part | ||
| of the input. In that case it doesn't matter what the character |
There was a problem hiding this comment.
This sentence is hard for reading, IMO
There was a problem hiding this comment.
I think this comment is not needed or you can summarize it as "i + 1 < len(ss) because of the input and pattern length requirements". Or add assert(i + 1 <= ...); By the way, you might want to add some asserts on n and m because it's not exactly clear that this won't be an issue.
There was a problem hiding this comment.
I am not fond of tests that may trigger a crash and the comments explaining why we have them are too long IMO. I don't see why we can't find an explicit input that triggers the code paths we want (except that it may be hard to craft such input). If it's too hard, we can just.. remove the tests. Or we should indicate in the C code that tests must be updated if we change the implementation.
| def test_replacement_on_buffer_boundary(self): | ||
|
|
||
| # gh-127971: Check we don't read past the end of the buffer when a | ||
| # potential match misses on the last character. Note this will likely | ||
| # not cause a failure unless ASAN is enabled, and even that may be | ||
| # dependent on implementation details subject to change. | ||
| any_3_nonblank_codepoints = '!!!' | ||
| seven_codepoints = any_3_nonblank_codepoints + ' ' + any_3_nonblank_codepoints | ||
| a = (' ' * 243) + seven_codepoints + (' ' * 7) | ||
| b = ' ' * 6 + chr(256) |
There was a problem hiding this comment.
| def test_replacement_on_buffer_boundary(self): | |
| # gh-127971: Check we don't read past the end of the buffer when a | |
| # potential match misses on the last character. Note this will likely | |
| # not cause a failure unless ASAN is enabled, and even that may be | |
| # dependent on implementation details subject to change. | |
| any_3_nonblank_codepoints = '!!!' | |
| seven_codepoints = any_3_nonblank_codepoints + ' ' + any_3_nonblank_codepoints | |
| a = (' ' * 243) + seven_codepoints + (' ' * 7) | |
| b = ' ' * 6 + chr(256) | |
| def test_replacement_on_buffer_boundary(self): | |
| # gh-127971: Check we don't read past the end of the buffer when a | |
| # potential match misses on the last character. Note this will likely | |
| # not cause a failure unless ASAN is enabled, and even that may be | |
| # dependent on implementation details subject to change. | |
| any_3_nonblank_codepoints = '!!!' | |
| seven_codepoints = any_3_nonblank_codepoints + ' ' + any_3_nonblank_codepoints | |
| a = (' ' * 243) + seven_codepoints + (' ' * 7) | |
| b = ' ' * 6 + chr(256) |
Note this will likely not cause a failure unless ASAN is enabled
In this case, make this test an ASAN test only. I would also shorten the comment.
| def test_adaptive_find_on_buffer_boundary(self): | ||
|
|
||
| # gh-127971: This exercises the adaptive search algorithm to trigger a | ||
| # corner-case where it might examine the character *after* the last | ||
| # position that could be the start of the pattern. | ||
| # | ||
| # Unfortunately there is nothing to *test* to confirm whether the | ||
| # character is read or not, nor in fact does it matter for correctness | ||
| # with the implementation at time of writing: the adaptive algorithm is | ||
| # only triggered if the input is over a certain size and with a pattern | ||
| # with more than one character, so with the current implementation even | ||
| # though the final character read is not necessary or significant, it | ||
| # won't cause a fault. | ||
| # | ||
| # This test at least intentionally exercises this path, and might | ||
| # possibly catch a regression if the implementation changes and breaks | ||
| # those assumptions. |
There was a problem hiding this comment.
| def test_adaptive_find_on_buffer_boundary(self): | |
| # gh-127971: This exercises the adaptive search algorithm to trigger a | |
| # corner-case where it might examine the character *after* the last | |
| # position that could be the start of the pattern. | |
| # | |
| # Unfortunately there is nothing to *test* to confirm whether the | |
| # character is read or not, nor in fact does it matter for correctness | |
| # with the implementation at time of writing: the adaptive algorithm is | |
| # only triggered if the input is over a certain size and with a pattern | |
| # with more than one character, so with the current implementation even | |
| # though the final character read is not necessary or significant, it | |
| # won't cause a fault. | |
| # | |
| # This test at least intentionally exercises this path, and might | |
| # possibly catch a regression if the implementation changes and breaks | |
| # those assumptions. | |
| def test_adaptive_find_on_buffer_boundary(self): | |
| # gh-127971: This exercises the adaptive search algorithm to trigger a | |
| # corner-case where it might examine the character *after* the last | |
| # position that could be the start of the pattern. | |
| # | |
| # Unfortunately there is nothing to *test* to confirm whether the | |
| # character is read or not, nor in fact does it matter for correctness | |
| # with the implementation at time of writing: the adaptive algorithm is | |
| # only triggered if the input is over a certain size and with a pattern | |
| # with more than one character, so with the current implementation even | |
| # though the final character read is not necessary or significant, it | |
| # won't cause a fault. | |
| # | |
| # This test at least intentionally exercises this path, and might | |
| # possibly catch a regression if the implementation changes and breaks | |
| # those assumptions. | |
Why "might"? is it a corner case or not? I suggest to either find an input that triggers exactly the code paths we want, or to remove this test as it may or may not trigger the issue. Also the comment is too long IMO.
| @@ -0,0 +1 @@ | |||
| Fix off-by-one read beyond the end of a string in string search | |||
There was a problem hiding this comment.
| Fix off-by-one read beyond the end of a string in string search | |
| Fix off-by-one read beyond the end of a string in string search. |
| @@ -676,7 +685,9 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n, | |||
| } | |||
| } | |||
| else { | |||
| /* skip: check if next character is part of pattern */ | |||
| /* Skip: check if next character is part of pattern. | |||
| See comment above re safety of accessing ss[i+1] when i == w. | |||
There was a problem hiding this comment.
What does it mean "above re safety"
| # though the final character read is not necessary or significant, it | ||
| # won't cause a fault. | ||
| # | ||
| # This test at least intentionally exercises this path, and might |
| start in. I.e. if i == w it is safe to read ss[i + 1] since the | ||
| input and pattern length requirements on when this variant | ||
| algorithm will be called ensure it will always be a valid part | ||
| of the input. In that case it doesn't matter what the character |
There was a problem hiding this comment.
I think this comment is not needed or you can summarize it as "i + 1 < len(ss) because of the input and pattern length requirements". Or add assert(i + 1 <= ...); By the way, you might want to add some asserts on n and m because it's not exactly clear that this won't be an issue.
Fix cases where the string search algorithm reads one past the end of the character/byte array under certain conditions.