[New-bugs-announce] [issue35842] A potential bug about use of uninitialised variable

rongxin report at bugs.python.org
Mon Jan 28 08:38:04 EST 2019 

New submission from rongxin <se.wu.rongxin at gmail.com>:

In the source file mmapmodule.c, the function mmap_subscript contains a potential bug about the use of uninitialised variable.


mmapmodule.c:

764 static PyObject *
765 mmap_subscript(mmap_object *self, PyObject *item)
766 {
...
    else if (PySlice_Check(item)) {
782        Py_ssize_t start, stop, step, slicelen;
783
784        if (PySlice_Unpack(item, &start, &stop, &step) < 0) {
785            return NULL;
786        }
787        slicelen = PySlice_AdjustIndices(self->size, &start, &stop, step);
     ...

In Line 782 of the file mmapmodule.c, the variable stop is not initialised and will be passed to the function PySlice_Unpack as the third parameter. Inside the function, it is likely that stop is not initialised. Please see the following code. 

sliceobject.c:
196 int
197 PySlice_Unpack(PyObject *_r,
198               Py_ssize_t *start, Py_ssize_t *stop, Py_ssize_t *step)
199 {
...
231    if (r->stop == Py_None) {
232        *stop = *step < 0 ? PY_SSIZE_T_MIN : PY_SSIZE_T_MAX;
233    }
234    else {
235        if (!_PyEval_SliceIndex(r->stop, stop)) return -1;
236    }


The third parameter **stop** may be changed at line 232 or 235. However, at Line 235, it is still likely that **stop** is not initialised at Line 235 where **stop** is passed as the second parameter. Note that, at Line 235, we only know r->stop!=Py_None. The following is the code snippet of the function _PyEval_SliceIndex.


ceval.c:
4718 int
4719 _PyEval_SliceIndex(PyObject *v, Py_ssize_t *pi)
4720 {
4721     if (v != Py_None) {
4722         Py_ssize_t x;
4723         if (PyIndex_Check(v)) {
4724             x = PyNumber_AsSsize_t(v, NULL);
4725             if (x == -1 && PyErr_Occurred())
4726                 return 0;
4727         }
4728         else {
4729             PyErr_SetString(PyExc_TypeError,
4730                             "slice indices must be integers or "
4731                             "None or have an __index__ method");
4732             return 0;
4733         }
4734         *pi = x;
4735     }
4736    return 1;
4737 }

As we can see, it is likely that when the third parameter v can be NULL, then the function _PyEval_SliceIndex will return 1. In the caller function PySlice_Unpack, at Line 235, the condition **if (!_PyEval_SliceIndex(r->stop, stop))** is not satisfied, and thus it will go to Line 238 which returns 0. In the caller function mmap_subscript in the file mmapmodule.c, at Line 784, since the return value is 0, and thus the path condition **PySlice_Unpack(item, &start, &stop, &step) < 0** is not satisfied. It will continue to execute the Line 787. The uninitialised variable **stop** again will be passed to the function PySlice_AdjustIndices as the third parameter. **stop** then will be dereferenced without initialisation. Please see the following.

sliceobject.c:
241 Py_ssize_t
242 PySlice_AdjustIndices(Py_ssize_t length,
243                      Py_ssize_t *start, Py_ssize_t *stop, Py_ssize_t step)
...
260 if (*stop < 0) {
261    *stop += length;
...

----------
messages: 334466
nosy: wurongxin1987
priority: normal
severity: normal
status: open
title: A potential bug about use of uninitialised variable
type: security
versions: Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35842>
_______________________________________

More information about the New-bugs-announce mailing list