[issue38913] Py_BuildValue("(s#O)", ...) segfaults if entered with exception raised
danielen
report at bugs.python.org
Tue Nov 26 23:38:55 EST 2019
danielen <daniele at grinta.net> added the comment:
The problem arises from this code in do_mktuple(), staring at line 394 in modsupport.c:
if (**p_format == '#') {
++*p_format;
if (flags & FLAG_SIZE_T)
n = va_arg(*p_va, Py_ssize_t);
else {
if (PyErr_WarnEx(PyExc_DeprecationWarning,
"PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) {
return NULL;
}
n = va_arg(*p_va, int);
}
}
If this is entered with an exception raised, PyErr_WarnEx() return NULL, thus this function return NULL without consuming the argument relative to the string length for the "s#" specifier. This argument is then consumed at the next iteration for the "O" specifier, resulting in a segmentation fault when the string length is interpreted as an object pointer.
I don't know what is the best solution: either ignoring the return value of PyErr_WarnEx or swapping the lines from
if (PyErr_WarnEx(PyExc_DeprecationWarning,
"PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) {
return NULL;
}
n = va_arg(*p_va, int);
to
n = va_arg(*p_va, int);
if (PyErr_WarnEx(PyExc_DeprecationWarning,
"PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) {
return NULL;
}
The handling of the "y#" just below suffers from the same problem.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38913>
_______________________________________
More information about the Python-bugs-list
mailing list