Series.iloc[ negative number ] can access memory it doesn't own or cause Segmentation Fault

[sergeny]

In other words, there is no bounds checking for Series.iloc[] with a negative argument. It just accesses whatever is in the memory there. Also a security breach.

It does appear to check on write, just not on read.

Python 2.7.10 |Anaconda 2.1.0 (64-bit)| (default, May 28 2015, 17:02:03)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Anaconda is brought to you by Continuum Analytics.
Please check out: http://continuum.io/thanks and https://binstar.org

import pandas as pd
pd>>> pd.version
'0.16.2'
s = pd.Series([1,2,3])
s
0 1
1 2
2 3
dtype: int64
s.iloc[-2]
2
s.iloc[-4]
33
s.iloc[-12345]
0
s.iloc[-123123123123123]
Segmentation fault (core dumped)

[jreback]

looks like boundary checking is not happening correctly. pull-requests are welcome to fix.

[ajcr]

A related issue: should s.iloc[-len(s)] raise an error?

For s = pd.Series([1,2,3]), writing s.iloc[[-3, -3]] results in an IndexError, although you'd expect the first row (index 0) to be returned twice - that's how it is for DataFrames and native Python iterables.

So I think both _is_valid_integer and _is_valid_list_like might need minor fixes here to be consistent, e.g. raising an error if key >= len(ax) or key < -len(ax).

I can submit a PR if noone else is working on this.

[jreback]

might be relevant. pydata#6531 (though about slicing).

@ajcr yes, this prob is a simple fix, just needs some testing / logic. go for it.

[jreback]

closed by #10808