Author Alexander Riccio
Recipients Alexander Riccio, benjamin.peterson
Date 2020-03-20.00:58:26
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1584665907.06.0.965824419022.issue40020@roundup.psfhosted.org>
In-reply-to
Content
growable_comment_array_add in parsetok.c incorrectly uses realloc, which leaks the array when allocation fails, and then causes a null pointer deref crash later when the array is freed in growable_comment_array_deallocate (the array pointer is dereferenced, passing null to free is fine).

It's unlikely that this codepath is reached in normal use, since type comments need to be turned on (via the PyCF_TYPE_COMMENTS compiler flag), but I've managed to replicate the issue by injecting faults with Application Verifier. It's easiest to cause it to fail with a very large number of type comments, but presumably this could also happen with some form of heap fragmentation.

The buggy code is:

static int
growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) {
    if (arr->num_items >= arr->size) {
        arr->size *= 2;
        arr->items = realloc(arr->items, arr->size * sizeof(*arr->items));
        if (!arr->items) {
            return 0;
        }
    }

    arr->items[arr->num_items].lineno = lineno;
    arr->items[arr->num_items].comment = comment;
    arr->num_items++;
    return 1;
}


and the correct code would be something like:

static int
growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) {
    if (arr->num_items >= arr->size) {
        arr->size *= 2;
        void* new_items_array = realloc(arr->items, arr->size * sizeof(*arr->items));
        if (!new_items_array) {
            return 0;
        }
        arr->items = new_items_array;
    }

    arr->items[arr->num_items].lineno = lineno;
    arr->items[arr->num_items].comment = comment;
    arr->num_items++;
    return 1;
}
History
Date User Action Args
2020-03-20 00:58:27Alexander Ricciosetrecipients: + Alexander Riccio, benjamin.peterson
2020-03-20 00:58:27Alexander Ricciosetmessageid: <1584665907.06.0.965824419022.issue40020@roundup.psfhosted.org>
2020-03-20 00:58:27Alexander Ricciolinkissue40020 messages
2020-03-20 00:58:26Alexander Ricciocreate