[New-bugs-announce] [issue17187] Python segfaults from improperly formed and called function

Larry Hastings report at bugs.python.org
Tue Feb 12 00:54:43 CET 2013

New submission from Larry Hastings:

Python 3.3 added a nice new feature: if you don't supply enough positional parameters to a function, it tells you the names of the positional parameters you omitted.

Unfortunately, the code that prints this error message assumes that the function is well-formed.  If I manually create a function using types.CodeType and types.FunctionType, and I don't provide enough entries in the types.CodeType  "varnames" parameter to satisfy all the positional parameters, and I call the resulting function with insufficient parameters, Python crashes.

I've attached a sample script that demonstrates this crash.  I can reproduce it with both 3.3.0 and a recent trunk.  Since this feature wasn't in 3.2 or before, the bug doesn't seem to exist in those versions; I couldn't reproduce with 3.2 or 2.7.

The crash occurs in missing_arguments() in Python/ceval.c, line 3256 in trunk.  The function calls PyTuple_GET_ITEM on the co_varnames tuple without checking that it has sufficient entries.  It gets a crazytown pointer, calls PyObject_Repr on it, and boom.

I've attached a band-aid patch which prevents the crash, but this is almost certainly not the fix we want.  Perhaps types.CodeType should refuse to generate the malformed code object in the first place?

components: Interpreter Core
files: crashy.py
keywords: 3.3regression
messages: 181936
nosy: larry
priority: normal
severity: normal
stage: needs patch
status: open
title: Python segfaults from improperly formed and called function
type: crash
versions: Python 3.3, Python 3.4
Added file: http://bugs.python.org/file29043/crashy.py

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list