segfault in ctypes.cast #66182

AnthonyLaTorre · 2014-07-14T21:53:26Z

BPO	21983
Nosy	@amauryfa, @abalkin, @vstinner, @meadori, @eryksun, @zooba, @orenmn, @miss-islington
PRs	bpo-21983: Fix a crash in ctypes.cast() in case the type argument is a ctypes structured data type. #3859 [3.7] bpo-21983: Fix a crash in ctypes.cast() when passed a ctypes structured data type (GH-3859) #6745 [3.6] bpo-21983: Fix a crash in ctypes.cast() when passed a ctypes structured data type (GH-3859) #6746

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-03-26.00:41:45.508>
created_at = <Date 2014-07-14.21:53:26.164>
labels = ['ctypes', 'type-crash']
title = 'segfault in ctypes.cast'
updated_at = <Date 2020-03-26.00:41:45.507>
user = 'https://bugs.python.org/AnthonyLaTorre'

bugs.python.org fields:

activity = <Date 2020-03-26.00:41:45.507>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2020-03-26.00:41:45.508>
closer = 'vstinner'
components = ['ctypes']
creation = <Date 2014-07-14.21:53:26.164>
creator = 'Anthony.LaTorre'
dependencies = []
files = []
hgrepos = []
issue_num = 21983
keywords = ['patch']
message_count = 10.0
messages = ['223062', '223069', '223100', '303468', '316334', '316337', '316339', '317754', '326039', '365040']
nosy_count = 9.0
nosy_names = ['amaury.forgeotdarc', 'belopolsky', 'vstinner', 'meador.inge', 'eryksun', 'steve.dower', 'Anthony.LaTorre', 'Oren Milman', 'miss-islington']
pr_nums = ['3859', '6745', '6746']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue21983'
versions = ['Python 2.7']

AnthonyLaTorre · 2014-07-14T21:53:26Z

I get a segfault when trying to cast a string to a structure. 
>>> import ctypes
>>> class Struct(ctypes.Structure):
...     _fields_ = [('a', ctypes.c_uint32)]
... 
>>> s = '0'*100
>>> ctypes.cast(s,Struct)
Segmentation fault

The docs (https://docs.python.org/2/library/ctypes.html#ctypes.cast) say that obj "must be an object that can be interpreted as a pointer", so I assume this should return the same exception you get when trying to cast a list:

>>> ctypes.cast(range(10),Struct)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.4/ctypes/__init__.py", line 488, in cast
    return _cast(obj, obj, typ)
ctypes.ArgumentError: argument 1: <class 'TypeError'>: wrong type

eryksun · 2014-07-15T00:15:54Z

You need to cast to a pointer type, i.e. POINTER(Struct). Trying to cast to just Struct should raise a TypeError. Instead this revealed a bug in cast_check_pointertype (3.4.1):

http://hg.python.org/cpython/file/c0e311e010fc/Modules/_ctypes/_ctypes.c#l5225

dict->proto is NULL in the Struct type's stgdict, so PyUnicode_Check(dict->proto) segfaults. A simple fix is to add a check for this on line 5235:

    if (dict && dict->proto) {

Then cast will raise the expected TypeError from line 5242 on return from line 5255.

BreamoreBoy · 2014-07-15T11:07:41Z

I'll provide a patch but I don't know which test file to use, can somebody please advise.

orenmn · 2017-10-01T17:14:07Z

IMHO, Lib/ctypes/test/test_cast.py is the relevant test.

Mark, do you still wish to provide a fix for that?
(Otherwise, i would be happy to open a PR.)

zooba · 2018-05-09T21:39:00Z

New changeset d518d8b by Steve Dower (Oren Milman) in branch 'master':
bpo-21983: Fix a crash in ctypes.cast() when passed a ctypes structured data type (GH-3859)
d518d8b

zooba · 2018-05-09T21:44:27Z

The backport to 2.7 needs some help. I can't do it on my laptop for the next week, but I'll try to get to it eventually. Feel free to get there first.

miss-islington · 2018-05-09T22:28:01Z

New changeset 8ac158a by Miss Islington (bot) in branch '3.6':
bpo-21983: Fix a crash in ctypes.cast() when passed a ctypes structured data type (GH-3859)
8ac158a

miss-islington · 2018-05-26T18:39:55Z

New changeset e60f6e1 by Miss Islington (bot) in branch '3.7':
bpo-21983: Fix a crash in ctypes.cast() when passed a ctypes structured data type (GH-3859)
e60f6e1

zooba · 2018-09-21T20:48:48Z

Still needs a backport to 2.7

vstinner · 2020-03-26T00:41:45Z

Still needs a backport to 2.7

No longer needed, I close the issue.

AnthonyLaTorre mannequin added type-crash A hard crash of the interpreter, possibly with a core dump topic-ctypes labels Jul 14, 2014

orenmn mannequin added the 3.7 (EOL) end of life label Oct 2, 2017

zooba added the 3.8 only security fixes label May 9, 2018

zooba self-assigned this May 9, 2018

zooba removed 3.7 (EOL) end of life 3.8 only security fixes labels Aug 2, 2019

zooba removed their assignment Aug 2, 2019

vstinner closed this as completed Mar 26, 2020

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

segfault in ctypes.cast #66182

segfault in ctypes.cast #66182

AnthonyLaTorre mannequin commented Jul 14, 2014

AnthonyLaTorre mannequin commented Jul 14, 2014

eryksun commented Jul 15, 2014

BreamoreBoy mannequin commented Jul 15, 2014

orenmn mannequin commented Oct 1, 2017

zooba commented May 9, 2018

zooba commented May 9, 2018

miss-islington commented May 9, 2018

miss-islington commented May 26, 2018

zooba commented Sep 21, 2018

vstinner commented Mar 26, 2020

segfault in ctypes.cast #66182

segfault in ctypes.cast #66182

Comments

AnthonyLaTorre mannequin commented Jul 14, 2014

AnthonyLaTorre mannequin commented Jul 14, 2014

eryksun commented Jul 15, 2014

BreamoreBoy mannequin commented Jul 15, 2014

orenmn mannequin commented Oct 1, 2017

zooba commented May 9, 2018

zooba commented May 9, 2018

miss-islington commented May 9, 2018

miss-islington commented May 26, 2018

zooba commented Sep 21, 2018

vstinner commented Mar 26, 2020