classification
Title: NULL + 1 in _PyFunction_FastCallDict(), PyEval_EvalCodeEx()
Type: Stage: resolved
Components: Interpreter Core Versions: Python 3.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: ZackerySpytz, serhiy.storchaka, vstinner
Priority: normal Keywords:

Created on 2017-06-12 14:37 by serhiy.storchaka, last changed 2017-09-08 01:19 by vstinner. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 2919 merged ZackerySpytz, 2017-07-27 16:25
PR 2964 merged ZackerySpytz, 2017-07-31 21:41
Messages (7)
msg295786 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-12 14:37
In _PyFunction_FastCallDict() if nk == 0, k is set to NULL. After that k + 1 is passed to _PyEval_EvalCodeWithName(). NULL + 1 is an undefined behavior.
msg295788 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-06-12 14:41
Can you please show me the line doing NULL+1? I don't see it. Or do you mean the "k + 1" with k=NULL?

_PyEval_EvalCodeWithName() ignores kwnames and kwargs when kwcount is zero. So I don't think that the value of NULL+1 matters here :-)
msg295794 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-12 15:11
Yes, I mean the "k + 1" with k=NULL.

Even if _PyEval_EvalCodeWithName() ignores that value, this still is an undefined behavior. For example the compiler can decide that since NULL+1 is not valid, then k never is NULL, and ignore the branch that sets k to NULL. It can also not generate the code in _PyEval_EvalCodeWithName() for handling the case kwcount == 0.
msg299538 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2017-07-31 05:39
As mentioned in PR 2919, this is an issue in PyEval_EvalCodeEx() as well.
msg299556 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-07-31 14:24
New changeset c6ea8974e2d939223bfd6d64ee13ec89c090d2e0 by Serhiy Storchaka (Zackery Spytz) in branch 'master':
bpo-30640: Fix undefined behavior in _PyFunction_FastCallDict() and PyEval_EvalCodeEx() (#2919)
https://github.com/python/cpython/commit/c6ea8974e2d939223bfd6d64ee13ec89c090d2e0
msg301663 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-09-08 01:17
New changeset f032e9237aa7d43d21e0b04d685c36bddf7078c1 by Victor Stinner (Zackery Spytz) in branch '3.6':
[3.6] bpo-30640: Fix undefined behavior in _PyFunction_FastCallDict() and PyEval_EvalCodeEx() (GH-2919) (#2964)
https://github.com/python/cpython/commit/f032e9237aa7d43d21e0b04d685c36bddf7078c1
msg301664 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-09-08 01:19
It's now fixed in Python 3.6 and master (3.7).

FYI this issue was also detected by Coverity as CID 1415964.
History
Date User Action Args
2017-09-08 01:19:03vstinnersetstatus: open -> closed
resolution: fixed
messages: + msg301664

stage: resolved
2017-09-08 01:17:40vstinnersetmessages: + msg301663
2017-07-31 21:41:05ZackerySpytzsetpull_requests: + pull_request3011
2017-07-31 14:24:43serhiy.storchakasetmessages: + msg299556
2017-07-31 05:39:16ZackerySpytzsetnosy: + ZackerySpytz

messages: + msg299538
title: NULL + 1 in _PyFunction_FastCallDict() -> NULL + 1 in _PyFunction_FastCallDict(), PyEval_EvalCodeEx()
2017-07-27 16:25:14ZackerySpytzsetpull_requests: + pull_request2972
2017-06-12 15:11:32serhiy.storchakasetmessages: + msg295794
2017-06-12 14:41:53vstinnersetmessages: + msg295788
2017-06-12 14:38:39vstinnersettitle: NULL + 1 -> NULL + 1 in _PyFunction_FastCallDict()
2017-06-12 14:37:59serhiy.storchakacreate