Issue 36421: A possible double decref in _ctypes.c's PyCArrayType_new()

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/80602

classification

Title:	A possible double decref in _ctypes.c's PyCArrayType_new()
Type:		Stage:	resolved
Components:	ctypes, Extension Modules	Versions:	Python 3.8, Python 3.7, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	ZackerySpytz, matrixise, miss-islington, serhiy.storchaka, vstinner
Priority:	normal	Keywords:	patch

Created on 2019-03-25 03:31 by ZackerySpytz, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL	Status	Linked	Edit
PR 12530	merged	ZackerySpytz, 2019-03-25 03:35
PR 12533	merged	miss-islington, 2019-03-25 08:08
PR 12534	merged	ZackerySpytz, 2019-03-25 10:50

Messages (6)
msg338779 - (view)	Author: Zackery Spytz (ZackerySpytz) *	Date: 2019-03-25 03:31
In PyCArrayType_new(), type_attr is assigned to stgdict->proto. If the PyDict_Update() call fails in that function, type_attr will be decrefed an extra time when stgdict is deallocated. I'll create a PR for this issue.
msg338782 - (view)	Author: Stéphane Wirtel (matrixise) *	Date: 2019-03-25 05:26
Hi Zackery, just one question, how did you detect this bug? in reading the code, with a tool (valgrind or sanitizer) or with a test? Have a nice day and thank you for the clarification.
msg338787 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2019-03-25 08:07
New changeset 5e333784f007950f22de44c1ffab5b0c03d6691f by Serhiy Storchaka (Zackery Spytz) in branch 'master': bpo-36421: Fix a possible double decref in _ctypes.c's PyCArrayType_new(). (GH-12530) https://github.com/python/cpython/commit/5e333784f007950f22de44c1ffab5b0c03d6691f
msg338791 - (view)	Author: miss-islington (miss-islington)	Date: 2019-03-25 08:34
New changeset fa27870992a7228c8bf378d53649ee22333b69db by Miss Islington (bot) in branch '3.7': bpo-36421: Fix a possible double decref in _ctypes.c's PyCArrayType_new(). (GH-12530) https://github.com/python/cpython/commit/fa27870992a7228c8bf378d53649ee22333b69db
msg338798 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2019-03-25 14:15
New changeset 0516f81828887a8ec34a3d5ed342dd396f367dcd by Serhiy Storchaka (Zackery Spytz) in branch '2.7': [2.7] bpo-36421: Fix ref counting bugs in _ctypes.c's PyCArrayType_new(). (GH-12534) https://github.com/python/cpython/commit/0516f81828887a8ec34a3d5ed342dd396f367dcd
msg344598 - (view)	Author: STINNER Victor (vstinner) *	Date: 2019-06-04 16:18
> just one question, how did you detect this bug? I bet that Zackery Spytz used Svace static analyzer: http://www.ispras.ru/en/technologies/svace/ See also: https://python-security.readthedocs.io/security.html#static-analysers-of-cpython-code-base

History
Date	User	Action	Args
2022-04-11 14:59:12	admin	set	github: 80602
2019-06-04 16:18:11	vstinner	set	nosy: + vstinner messages: + msg344598
2019-03-25 14:16:30	serhiy.storchaka	set	status: open -> closed stage: patch review -> resolved resolution: fixed versions: + Python 2.7
2019-03-25 14:15:56	serhiy.storchaka	set	messages: + msg338798
2019-03-25 10:50:21	ZackerySpytz	set	pull_requests: + pull_request12484
2019-03-25 08:34:30	miss-islington	set	nosy: + miss-islington messages: + msg338791
2019-03-25 08:08:20	miss-islington	set	pull_requests: + pull_request12483
2019-03-25 08:07:54	serhiy.storchaka	set	nosy: + serhiy.storchaka messages: + msg338787
2019-03-25 05:26:16	matrixise	set	nosy: + matrixise messages: + msg338782
2019-03-25 03:35:07	ZackerySpytz	set	keywords: + patch stage: patch review pull_requests: + pull_request12481
2019-03-25 03:31:24	ZackerySpytz	create