[issue18060] Updating _fields_ of a derived struct type yields a bad cif

[Lauri Alanko]

New submission from Lauri Alanko:

In Modules/_ctypes/stgdict.c:567 there is a suspicious line:

    stgdict->length = len;      /* ADD ffi_ofs? */

That is, the length field of the stgdict is set to the number of fields in the immediate Structure class, and the number of fields in the parent class (ffi_ofs) is questionably left out. This is wrong.

The length field is used in PyCStgDict_clone to copy the ffi_type descriptors for struct elements to a derived struct type. If length is short, not all element types are copied, and the resulting array is not NULL-terminated.

So the problem manifests when you inherit from a structure type, update the _fields_ of the inherited type, and then inherit again from the updated type. Even then everything might seem normal, since the elements array is actually not used very much.

However, attached is a test case that segfaults at least with debug builds on ARM with the VFP ABI. The non-null-terminated element type array is traversed to find if the structure can be passed in floating point registers, eventually resulting in dereferencing 0xfbfbfbfb.

The test program should print out pi. To avoid the hassle of a separate C component, the program abuses the standard atan2 function by pretending it takes a struct of two doubles instead of two separate double parameters. This does not make a difference to the ABI.

Fixing the bug is trivial. Just change the line to:

 stgdict->length = ffi_ofs + len;

----------
components: ctypes
files: t1.py
messages: 189992
nosy: lauri.alanko
priority: normal
severity: normal
status: open
title: Updating _fields_ of a derived struct type yields a bad cif
type: crash
versions: Python 3.3
Added file: http://bugs.python.org/file30369/t1.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18060>
_______________________________________