[New-bugs-announce] [issue17187] Python segfaults from improperly formed and called function

[Larry Hastings]

New submission from Larry Hastings:

Python 3.3 added a nice new feature: if you don't supply enough positional parameters to a function, it tells you the names of the positional parameters you omitted.

Unfortunately, the code that prints this error message assumes that the function is well-formed.  If I manually create a function using types.CodeType and types.FunctionType, and I don't provide enough entries in the types.CodeType  "varnames" parameter to satisfy all the positional parameters, and I call the resulting function with insufficient parameters, Python crashes.

I've attached a sample script that demonstrates this crash.  I can reproduce it with both 3.3.0 and a recent trunk.  Since this feature wasn't in 3.2 or before, the bug doesn't seem to exist in those versions; I couldn't reproduce with 3.2 or 2.7.

The crash occurs in missing_arguments() in Python/ceval.c, line 3256 in trunk.  The function calls PyTuple_GET_ITEM on the co_varnames tuple without checking that it has sufficient entries.  It gets a crazytown pointer, calls PyObject_Repr on it, and boom.

I've attached a band-aid patch which prevents the crash, but this is almost certainly not the fix we want.  Perhaps types.CodeType should refuse to generate the malformed code object in the first place?

----------
components: Interpreter Core
files: crashy.py
keywords: 3.3regression
messages: 181936
nosy: larry
priority: normal
severity: normal
stage: needs patch
status: open
title: Python segfaults from improperly formed and called function
type: crash
versions: Python 3.3, Python 3.4
Added file: http://bugs.python.org/file29043/crashy.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17187>
_______________________________________