[New-bugs-announce] [issue46997] Invalid memory write in bytearray
Jelle Zijlstra
report at bugs.python.org
Sat Mar 12 21:05:03 EST 2022
New submission from Jelle Zijlstra <jelle.zijlstra at gmail.com>:
Inspired by Guido's comment in https://github.com/python/cpython/pull/31834/files#r825352900, I found that there are some places in bytearrayobject.c where we can write to free'd memory if we encounter an object with a sneaky __index__ method:
$ cat basneak.py
ba = bytearray([0 for _ in range(10000)])
class sneaky:
def __index__(self):
ba.clear()
return 1
ba[-1] = sneaky()
$ valgrind ./python basneak.py
==87894== Memcheck, a memory error detector
==87894== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==87894== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==87894== Command: ./python basneak.py
==87894==
==87894== Invalid write of size 1
==87894== at 0x49B70F: bytearray_ass_subscript (bytearrayobject.c:632)
==87894== by 0x488E03: PyObject_SetItem (abstract.c:211)
<snip>
In bytearray_setitem(), we first do bounds checking, and then call _getbytevalue() to get the numeric value of the argument.
I think there's a similar bug in bytearray_ass_subscript().
----------
messages: 415021
nosy: JelleZijlstra, gvanrossum
priority: normal
severity: normal
status: open
title: Invalid memory write in bytearray
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46997>
_______________________________________
More information about the New-bugs-announce
mailing list