Message 357554 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	danielen
Recipients	danielen, doko, lukasz.langa, steve.dower
Date	2019-11-27.04:38:54
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1574829535.2.0.731319247849.issue38913@roundup.psfhosted.org>
In-reply-to

Content
The problem arises from this code in do_mktuple(), staring at line 394 in modsupport.c: if (*p_format == '#') { ++p_format; if (flags & FLAG_SIZE_T) n = va_arg(p_va, Py_ssize_t); else { if (PyErr_WarnEx(PyExc_DeprecationWarning, "PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) { return NULL; } n = va_arg(p_va, int); } } If this is entered with an exception raised, PyErr_WarnEx() return NULL, thus this function return NULL without consuming the argument relative to the string length for the "s#" specifier. This argument is then consumed at the next iteration for the "O" specifier, resulting in a segmentation fault when the string length is interpreted as an object pointer. I don't know what is the best solution: either ignoring the return value of PyErr_WarnEx or swapping the lines from if (PyErr_WarnEx(PyExc_DeprecationWarning, "PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) { return NULL; } n = va_arg(p_va, int); to n = va_arg(p_va, int); if (PyErr_WarnEx(PyExc_DeprecationWarning, "PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) { return NULL; } The handling of the "y#" just below suffers from the same problem.

The problem arises from this code in do_mktuple(), staring at line 394 in modsupport.c:

            if (**p_format == '#') {
                ++*p_format;
                if (flags & FLAG_SIZE_T)
                    n = va_arg(*p_va, Py_ssize_t);
                else {
                    if (PyErr_WarnEx(PyExc_DeprecationWarning,
                                "PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) {
                        return NULL;
                    }
                    n = va_arg(*p_va, int);
                }
            }

If this is entered with an exception raised, PyErr_WarnEx() return NULL, thus this function return NULL without consuming the argument relative to the string length for the "s#" specifier. This argument is then consumed at the next iteration for the "O" specifier, resulting in a segmentation fault when the string length is interpreted as an object pointer.

I don't know what is the best solution: either ignoring the return value of PyErr_WarnEx or swapping the lines from 

                    if (PyErr_WarnEx(PyExc_DeprecationWarning,
                                "PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) {
                        return NULL;
                    }
                    n = va_arg(*p_va, int);


to 

                    n = va_arg(*p_va, int);
                    if (PyErr_WarnEx(PyExc_DeprecationWarning,
                                "PY_SSIZE_T_CLEAN will be required for '#' formats", 1)) {
                        return NULL;
                    }

The handling of the "y#" just below suffers from the same problem.

History
Date	User	Action	Args
2019-11-27 04:38:55	danielen	set	recipients: + danielen, doko, lukasz.langa, steve.dower
2019-11-27 04:38:55	danielen	set	messageid: <1574829535.2.0.731319247849.issue38913@roundup.psfhosted.org>
2019-11-27 04:38:55	danielen	link	issue38913 messages
2019-11-27 04:38:54	danielen	create