[New-bugs-announce] [issue41995] five possible Null Pointer Dereference bugs.

brightest star report at bugs.python.org
Sat Oct 10 07:49:40 EDT 2020 

New submission from brightest star <brightest3379 at gmail.com>:

Hello everyone,

I have found five Null Pointer Dereference bugs in recent master branch.
Although it's impact could be slightly, i think it is better to fix it.

Bug 1:
In the file ; ./Modules/_tracemalloc.c:
static int
tracemalloc_copy_trace(_Py_hashtable_t *traces,
                       const void *key, const void *value,
                       void *user_data)
{
        _Py_hashtable_t *traces2 = (_Py_hashtable_t *)user_data;

        trace_t *trace = (trace_t *)value;

1201:    trace_t *trace2 = raw_malloc(sizeof(trace_t));
1202:    if (traces2 == NULL) {  <-----
            return -1;
        }
1205:   *trace2 = *trace;
        ...
        return 0;
}
At line 1201, we malloc a varible 'trace2' and then we should check whether the varible 'trace2' is NULL. But it checks 'traces2'(not 'trace2') in line 1202. The varible 'trace2' still could be NULL.I think it is a spelling mistake.

Bug 2 and 3:
In the file :Modules/_zoneinfo.c

static int
load_data(PyZoneInfo_ZoneInfo *self, PyObject *file_obj)
{
        ...
908:     self->trans_list_utc =
        PyMem_Malloc(self->num_transitions * sizeof(int64_t));
910:    trans_idx = PyMem_Malloc(self->num_transitions * sizeof(Py_ssize_t));
        ...
}
Line 908 alloc a memory to 'self->trans_list_utc' and line 910 alloc a memory to 'trans_idx'. But the paramters passed to PyMem_Malloc are not fixed,it means that we possible could control the size to malloc. If we pass a big size to PyMem_Malloc, it will return NULL.
So,we should add some checks for 'self->trans_list_utc' and 'trans_idx',such as 
    if (self->trans_list_utc == NULL) {
        goto error;
    }

Bug 4 and 5:
In the file :Modules/_zoneinfo.c

The problem same to bug 3 and 4.
line 991:    self->_ttinfos = PyMem_Malloc(self->num_ttinfos * sizeof(_ttinfo));
line 1005:   self->trans_ttinfos =
        PyMem_Calloc(self->num_transitions, sizeof(_ttinfo *));

We should add some checks below these lines.

----------
components: Extension Modules
messages: 378385
nosy: brightest3379
priority: normal
severity: normal
status: open
title: five possible Null Pointer Dereference bugs.
type: behavior
versions: Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue41995>
_______________________________________

More information about the New-bugs-announce mailing list