classification
Title: A possible double decref in _ctypes.c's PyCArrayType_new()
Type: Stage: resolved
Components: ctypes, Extension Modules Versions: Python 3.8, Python 3.7, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: ZackerySpytz, matrixise, miss-islington, serhiy.storchaka, vstinner
Priority: normal Keywords: patch

Created on 2019-03-25 03:31 by ZackerySpytz, last changed 2019-06-04 16:18 by vstinner. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 12530 merged ZackerySpytz, 2019-03-25 03:35
PR 12533 merged miss-islington, 2019-03-25 08:08
PR 12534 merged ZackerySpytz, 2019-03-25 10:50
Messages (6)
msg338779 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2019-03-25 03:31
In PyCArrayType_new(), type_attr is assigned to stgdict->proto. If the PyDict_Update() call fails in that function, type_attr will be decrefed an extra time when stgdict is deallocated.

I'll create a PR for this issue.
msg338782 - (view) Author: Stéphane Wirtel (matrixise) * (Python committer) Date: 2019-03-25 05:26
Hi Zackery,

just one question, how did you detect this bug? in reading the code,
with a tool (valgrind or sanitizer) or with a test?

Have a nice day and thank you for the clarification.
msg338787 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2019-03-25 08:07
New changeset 5e333784f007950f22de44c1ffab5b0c03d6691f by Serhiy Storchaka (Zackery Spytz) in branch 'master':
bpo-36421: Fix a possible double decref in _ctypes.c's PyCArrayType_new(). (GH-12530)
https://github.com/python/cpython/commit/5e333784f007950f22de44c1ffab5b0c03d6691f
msg338791 - (view) Author: miss-islington (miss-islington) Date: 2019-03-25 08:34
New changeset fa27870992a7228c8bf378d53649ee22333b69db by Miss Islington (bot) in branch '3.7':
bpo-36421: Fix a possible double decref in _ctypes.c's PyCArrayType_new(). (GH-12530)
https://github.com/python/cpython/commit/fa27870992a7228c8bf378d53649ee22333b69db
msg338798 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2019-03-25 14:15
New changeset 0516f81828887a8ec34a3d5ed342dd396f367dcd by Serhiy Storchaka (Zackery Spytz) in branch '2.7':
[2.7] bpo-36421: Fix ref counting bugs in _ctypes.c's PyCArrayType_new(). (GH-12534)
https://github.com/python/cpython/commit/0516f81828887a8ec34a3d5ed342dd396f367dcd
msg344598 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-06-04 16:18
> just one question, how did you detect this bug?

I bet that Zackery Spytz used Svace static analyzer: http://www.ispras.ru/en/technologies/svace/

See also: https://python-security.readthedocs.io/security.html#static-analysers-of-cpython-code-base
History
Date User Action Args
2019-06-04 16:18:11vstinnersetnosy: + vstinner
messages: + msg344598
2019-03-25 14:16:30serhiy.storchakasetstatus: open -> closed
stage: patch review -> resolved
resolution: fixed
versions: + Python 2.7
2019-03-25 14:15:56serhiy.storchakasetmessages: + msg338798
2019-03-25 10:50:21ZackerySpytzsetpull_requests: + pull_request12484
2019-03-25 08:34:30miss-islingtonsetnosy: + miss-islington
messages: + msg338791
2019-03-25 08:08:20miss-islingtonsetpull_requests: + pull_request12483
2019-03-25 08:07:54serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg338787
2019-03-25 05:26:16matrixisesetnosy: + matrixise
messages: + msg338782
2019-03-25 03:35:07ZackerySpytzsetkeywords: + patch
stage: patch review
pull_requests: + pull_request12481
2019-03-25 03:31:24ZackerySpytzcreate