Throw IndexError on out-of-bounds buffer access

Author: msimacek

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/common/BufferStorageNodes.java

@@ -40,6 +40,7 @@
  */
 package com.oracle.graal.python.builtins.objects.common;
 
+import static com.oracle.graal.python.builtins.PythonBuiltinClassType.IndexError;
 import static com.oracle.graal.python.builtins.PythonBuiltinClassType.OverflowError;
 import static com.oracle.graal.python.builtins.PythonBuiltinClassType.TypeError;
 import static com.oracle.graal.python.builtins.PythonBuiltinClassType.ValueError;
@@ -344,8 +345,15 @@ static void doBytes(PBytesLike src, int srcPos, byte[] dest, int destPos, int le
         }
 
         @Specialization
-        static void doArray(PArray src, int srcPos, byte[] dest, int destPos, int length) {
-            PythonUtils.arraycopy(src.getBuffer(), srcPos, dest, destPos, length);
+        static void doArray(PArray src, int srcPos, byte[] dest, int destPos, int length,
+                        @Cached PRaiseNode raiseNode) {
+            try {
+                PythonUtils.arraycopy(src.getBuffer(), srcPos, dest, destPos, length);
+            } catch (ArrayIndexOutOfBoundsException e) {
+                CompilerDirectives.transferToInterpreterAndInvalidate();
+                // This can happen when the array gets resized while being exported
+                throw raiseNode.raise(IndexError, ErrorMessages.INVALID_BUFFER_ACCESS);
+            }
         }
     }
 
@@ -361,8 +369,15 @@ static void doBytes(byte[] src, int srcPos, PBytesLike dest, int destPos, int le
         }
 
         @Specialization
-        static void doArray(byte[] src, int srcPos, PArray dest, int destPos, int length) {
-            PythonUtils.arraycopy(src, srcPos, dest.getBuffer(), destPos, length);
+        static void doArray(byte[] src, int srcPos, PArray dest, int destPos, int length,
+                        @Cached PRaiseNode raiseNode) {
+            try {
+                PythonUtils.arraycopy(src, srcPos, dest.getBuffer(), destPos, length);
+            } catch (ArrayIndexOutOfBoundsException e) {
+                CompilerDirectives.transferToInterpreterAndInvalidate();
+                // This can happen when the array gets resized while being exported
+                throw raiseNode.raise(IndexError, ErrorMessages.INVALID_BUFFER_ACCESS);
+            }
         }
     }
 }

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/common/SequenceStorageNodes.java

@@ -40,6 +40,7 @@
 import static com.oracle.graal.python.nodes.SpecialMethodNames.__GT__;
 import static com.oracle.graal.python.nodes.SpecialMethodNames.__LE__;
 import static com.oracle.graal.python.nodes.SpecialMethodNames.__LT__;
+import static com.oracle.graal.python.runtime.exception.PythonErrorType.IndexError;
 import static com.oracle.graal.python.runtime.exception.PythonErrorType.MemoryError;
 import static com.oracle.graal.python.runtime.exception.PythonErrorType.OverflowError;
 import static com.oracle.graal.python.runtime.exception.PythonErrorType.SystemError;
@@ -2150,17 +2151,31 @@ public abstract static class CopyBytesFromByteStorage extends PNodeWithContext {
         public abstract void execute(SequenceStorage src, int srcPos, byte[] dest, int destPos, int length);
 
         @Specialization
-        static void doByteSequenceStorage(ByteSequenceStorage src, int srcPos, byte[] dest, int destPos, int length) {
-            PythonUtils.arraycopy(src.getInternalByteArray(), srcPos, dest, destPos, length);
+        static void doByteSequenceStorage(ByteSequenceStorage src, int srcPos, byte[] dest, int destPos, int length,
+                        @Cached PRaiseNode raiseNode) {
+            try {
+                PythonUtils.arraycopy(src.getInternalByteArray(), srcPos, dest, destPos, length);
+            } catch (ArrayIndexOutOfBoundsException e) {
+                CompilerDirectives.transferToInterpreterAndInvalidate();
+                // This can happen when the array gets resized while being exported
+                throw raiseNode.raise(IndexError, ErrorMessages.INVALID_BUFFER_ACCESS);
+            }
         }
 
         @Specialization(guards = "isByteStorage(src)")
         static void doNativeByte(NativeSequenceStorage src, int srcPos, byte[] dest, int destPos, int length,
-                        @Cached GetItemScalarNode getItemNode) {
-            for (int i = 0; i < length; i++) {
-                int elem = getItemNode.executeInt(src, srcPos + i);
-                assert elem >= 0 && elem < 256;
-                dest[destPos + i] = (byte) elem;
+                        @Cached GetItemScalarNode getItemNode,
+                        @Cached PRaiseNode raiseNode) {
+            try {
+                for (int i = 0; i < length; i++) {
+                    int elem = getItemNode.executeInt(src, srcPos + i);
+                    assert elem >= 0 && elem < 256;
+                    dest[destPos + i] = (byte) elem;
+                }
+            } catch (PException e) {
+                CompilerDirectives.transferToInterpreterAndInvalidate();
+                // This can happen when the array gets resized while being exported
+                throw raiseNode.raise(IndexError, ErrorMessages.INVALID_BUFFER_ACCESS);
             }
         }
     }
@@ -2172,15 +2187,29 @@ public abstract static class CopyBytesToByteStorage extends PNodeWithContext {
         public abstract void execute(byte[] src, int srcPos, SequenceStorage dest, int destPos, int length);
 
         @Specialization
-        static void doByteSequenceStorage(byte[] src, int srcPos, ByteSequenceStorage dest, int destPos, int length) {
-            PythonUtils.arraycopy(src, srcPos, dest.getInternalByteArray(), destPos, length);
+        static void doByteSequenceStorage(byte[] src, int srcPos, ByteSequenceStorage dest, int destPos, int length,
+                        @Cached PRaiseNode raiseNode) {
+            try {
+                PythonUtils.arraycopy(src, srcPos, dest.getInternalByteArray(), destPos, length);
+            } catch (ArrayIndexOutOfBoundsException e) {
+                CompilerDirectives.transferToInterpreterAndInvalidate();
+                // This can happen when the array gets resized while being exported
+                throw raiseNode.raise(IndexError, ErrorMessages.INVALID_BUFFER_ACCESS);
+            }
         }
 
         @Specialization(guards = "isByteStorage(dest)")
         static void doNativeByte(byte[] src, int srcPos, NativeSequenceStorage dest, int destPos, int length,
-                        @Cached SetItemScalarNode setItemNode) {
-            for (int i = 0; i < length; i++) {
-                setItemNode.execute(dest, destPos + i, src[srcPos + i]);
+                        @Cached SetItemScalarNode setItemNode,
+                        @Cached PRaiseNode raiseNode) {
+            try {
+                for (int i = 0; i < length; i++) {
+                    setItemNode.execute(dest, destPos + i, src[srcPos + i]);
+                }
+            } catch (PException e) {
+                CompilerDirectives.transferToInterpreterAndInvalidate();
+                // This can happen when the array gets resized while being exported
+                throw raiseNode.raise(IndexError, ErrorMessages.INVALID_BUFFER_ACCESS);
             }
         }
     }

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/nodes/ErrorMessages.java

@@ -323,6 +323,7 @@ public abstract class ErrorMessages {
     public static final String INVALID_PTR_OBJ = "invalid pointer object: %s";
     public static final String INVALID_SYNTAX = "invalid syntax";
     public static final String INVALID_USE_OF_W_FORMAT_CHAR = "invalid use of 'w' format character";
+    public static final String INVALID_BUFFER_ACCESS = "invalid buffer access";
     public static final String IS_EMPTY = "%s is empty";
     public static final String IS_NOT_A_DICTIONARY = "%s is not a dictionary";
     public static final String IS_NOT_IN_RANGE = "%s is not in range";