Title: python readline module crashing on NULL access
Type: crash Stage: resolved
Components: Versions: Python 3.3, Python 3.4, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: Make libedit support more generic; port readline / libedit to FreeBSD
View: 13501
Assigned To: Nosy List: Arfrever, benjamin.peterson, donmez, koobs, martin.panter, tfiala, vstinner
Priority: normal Keywords: patch

Created on 2014-02-15 00:12 by tfiala, last changed 2017-03-23 11:24 by martin.panter. This issue is now closed.

File name Uploaded Description Edit
python_2.7.6_module_readline_null.diff tfiala, 2014-02-15 00:12 Patch to guard against NULL dereference in Modules/readline.c
python_2.7.6_module_readline_null_02.diff tfiala, 2014-02-18 19:01 Revised patch - removes extra call to history_get()
Messages (6)
msg211252 - (view) Author: Todd Fiala (tfiala) Date: 2014-02-15 00:12
Hi all,

In working on the LLVM/LLDB project, I've been hitting a bug in the
embedded interpreter that causes a NULL dereference in the Python
readline module. There is a call to the history_get() function with an
assumption that it returns a non-NULL value. This is not guaranteed to
be true of the history_get function, and causes the readline module to
crash when it hits this condition.

I'm attaching a patch to the Python 2.7.6 source code that addresses
this issue. It adds an explicit NULL test of the history_get() return
value before accessing it.

This issue was discovered in top of tree LLDB ( debugger project).  See here for details:
msg211538 - (view) Author: Todd Fiala (tfiala) Date: 2014-02-18 19:01
Cleaned up the proposed patch a bit.  Moves HIST_ENTRY* into a tighter block and removes the second call to history_get() since the value is already stashed in the NULL-checked local.
msg226817 - (view) Author: Ismail Donmez (donmez) * Date: 2014-09-12 12:25
Can we please get a review on this?
msg226860 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2014-09-14 00:44
Why does _py_get_history_length return a positive value if there's no line available?
msg269000 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-06-21 14:03
I think an answer to Benjamin’s question is necessary to move this forward. The code already checks the index before calling history_get(). How do you manage to get null pointers returned for every history item?

In the LLVM bug thread, I noticed “libedit” a.k.a. Editline mentioned a few times. Are you sure Python is using Gnu Readline, or is it somehow hooking into Editline? Python only really supports Editline on Apple, not Linux (see Issue 13501 for expanding that support).
msg290042 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-03-23 11:22
Closing in favour of Issue 13501, since the report was apparently about using a non-Apple Editline rather than Gnu Readline. However see also Issue 29854, where the same symptom is seen with Gnu Readline, and it will probably get the same fix.
Date User Action Args
2017-03-23 11:24:13martin.pantersetsuperseder: Make libedit support more generic; port readline / libedit to FreeBSD
2017-03-23 11:23:15martin.pantersetstatus: open -> closed
resolution: duplicate
stage: patch review -> resolved
2017-03-23 11:22:51martin.pantersetstatus: pending -> open

messages: + msg290042
2016-06-21 14:03:34martin.pantersetstatus: open -> pending
nosy: + martin.panter
messages: + msg269000

2014-09-14 00:58:40Arfreversetnosy: + Arfrever
2014-09-14 00:44:50benjamin.petersonsetnosy: + benjamin.peterson
messages: + msg226860
2014-09-12 13:10:50vstinnersetnosy: + vstinner
2014-09-12 12:25:33donmezsetnosy: + donmez
messages: + msg226817
2014-02-19 12:51:57pitrousetstage: patch review
versions: + Python 3.3, Python 3.4
2014-02-18 19:01:54tfialasetfiles: + python_2.7.6_module_readline_null_02.diff

messages: + msg211538
2014-02-15 02:33:49koobssetnosy: + koobs
2014-02-15 00:13:52tfialasettype: crash
2014-02-15 00:12:11tfialacreate