classification
Title: Pylauncher, launcher.c: Assigning NULL to a pointer instead of testing against NULL
Type: crash Stage: resolved
Components: Windows Versions: Python 3.6, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Alexander Riccio, paul.moore, python-dev, serhiy.storchaka, steve.dower, tim.golden, vinay.sajip, zach.ware
Priority: normal Keywords:

Created on 2015-12-12 04:33 by Alexander Riccio, last changed 2015-12-21 06:47 by python-dev. This issue is now closed.

Messages (4)
msg256254 - (view) Author: Alexander Riccio (Alexander Riccio) * Date: 2015-12-12 04:33
I found this while writing up a separate bug (CPython doesn't use static analysis!).

In PC/launcher.c, get_env has a bug:

        /* Large environment variable. Accept some leakage */
        wchar_t *buf2 = (wchar_t*)malloc(sizeof(wchar_t) * (result+1));
        if (buf2 = NULL) {
            error(RC_NO_MEMORY, L"Could not allocate environment buffer");
        }
        GetEnvironmentVariableW(key, buf2, result);
        return buf2;

See: https://hg.python.org/cpython/file/tip/PC/launcher.c#l117


Instead of `buf2 == NULL`, Vinay Sajip wrote `buf2 = NULL`. The commit where the error was introduced: https://hg.python.org/cpython/rev/4123e002a1af

Thus, whatever value was in buf2 is lost, the branch is NOT taken (because buf2 evaluates to false), and GetEnvironmentVariableW will (probably) cause an access violation. 


Compiling with /analyze found this quite easily:

c:\pythondev\repo\pc\launcher.c(117): warning C6282: Incorrect operator:  assignment of constant in Boolean context. Consider using '==' instead.
msg256319 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-12-13 09:45
New changeset 5015440beec2 by Vinay Sajip in branch '3.4':
Fixes #25844: Corrected =/== typo potentially leading to crash in launcher.
https://hg.python.org/cpython/rev/5015440beec2

New changeset 9552fcd303fd by Vinay Sajip in branch '3.5':
Fixes #25844: Corrected =/== typo potentially leading to crash in launcher.
https://hg.python.org/cpython/rev/9552fcd303fd

New changeset cdf8033d8820 by Vinay Sajip in branch 'default':
Fixes #25844: Merged fix from 3.5.
https://hg.python.org/cpython/rev/cdf8033d8820
msg256697 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-12-18 17:50
To the fix for this bug we have to provoke the unsufficient memory error just at this point. This is unlikely worth.

Thank you Alexander for your reports.
msg256784 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-12-21 06:47
New changeset 48b3cac0dbcd by Vinay Sajip in branch '3.4':
Fixes #25844: Corrected =/== typo potentially leading to crash in launcher.
https://hg.python.org/cpython/rev/48b3cac0dbcd
History
Date User Action Args
2015-12-21 06:47:30python-devsetmessages: + msg256784
2015-12-18 17:50:51serhiy.storchakasetstatus: open -> closed

nosy: + serhiy.storchaka
messages: + msg256697

resolution: fixed
stage: test needed -> resolved
2015-12-13 09:45:32python-devsetnosy: + python-dev
messages: + msg256319
2015-12-13 04:29:29brett.cannonsetstage: test needed
versions: + Python 3.5, Python 3.6
2015-12-12 04:33:37Alexander Ricciosettype: crash
2015-12-12 04:33:27Alexander Ricciocreate