Message415021
Inspired by Guido's comment in https://github.com/python/cpython/pull/31834/files#r825352900, I found that there are some places in bytearrayobject.c where we can write to free'd memory if we encounter an object with a sneaky __index__ method:
$ cat basneak.py
ba = bytearray([0 for _ in range(10000)])
class sneaky:
def __index__(self):
ba.clear()
return 1
ba[-1] = sneaky()
$ valgrind ./python basneak.py
==87894== Memcheck, a memory error detector
==87894== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==87894== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==87894== Command: ./python basneak.py
==87894==
==87894== Invalid write of size 1
==87894== at 0x49B70F: bytearray_ass_subscript (bytearrayobject.c:632)
==87894== by 0x488E03: PyObject_SetItem (abstract.c:211)
<snip>
In bytearray_setitem(), we first do bounds checking, and then call _getbytevalue() to get the numeric value of the argument.
I think there's a similar bug in bytearray_ass_subscript(). |
|
Date |
User |
Action |
Args |
2022-03-13 02:05:03 | JelleZijlstra | set | recipients:
+ JelleZijlstra, gvanrossum |
2022-03-13 02:05:03 | JelleZijlstra | set | messageid: <1647137103.05.0.520249500347.issue46997@roundup.psfhosted.org> |
2022-03-13 02:05:03 | JelleZijlstra | link | issue46997 messages |
2022-03-13 02:05:02 | JelleZijlstra | create | |
|