This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author JelleZijlstra
Recipients JelleZijlstra, gvanrossum
Date 2022-03-13.02:05:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1647137103.05.0.520249500347.issue46997@roundup.psfhosted.org>
In-reply-to
Content 
Inspired by Guido's comment in https://github.com/python/cpython/pull/31834/files#r825352900, I found that there are some places in bytearrayobject.c where we can write to free'd memory if we encounter an object with a sneaky __index__ method:

$ cat basneak.py 
ba = bytearray([0 for _ in range(10000)])

class sneaky:
    def __index__(self):
        ba.clear()
        return 1

ba[-1] = sneaky()
$ valgrind ./python basneak.py 
==87894== Memcheck, a memory error detector
==87894== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==87894== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==87894== Command: ./python basneak.py
==87894== 
==87894== Invalid write of size 1
==87894==    at 0x49B70F: bytearray_ass_subscript (bytearrayobject.c:632)
==87894==    by 0x488E03: PyObject_SetItem (abstract.c:211)
<snip>

In bytearray_setitem(), we first do bounds checking, and then call _getbytevalue() to get the numeric value of the argument.

I think there's a similar bug in bytearray_ass_subscript().
History
Date User Action Args
2022-03-13 02:05:03JelleZijlstrasetrecipients: + JelleZijlstra, gvanrossum
2022-03-13 02:05:03JelleZijlstrasetmessageid: <1647137103.05.0.520249500347.issue46997@roundup.psfhosted.org>
2022-03-13 02:05:03JelleZijlstralinkissue46997 messages
2022-03-13 02:05:02JelleZijlstracreate