[New-bugs-announce] [issue33742] Unsafe memory access in PyStructSequence_InitType
Pasha Stetsenko
report at bugs.python.org
Sun Jun 3 02:37:33 EDT 2018
New submission from Pasha Stetsenko <stpasha at gmail.com>:
The documentation (https://docs.python.org/3/c-api/tuple.html) for `PyStructSequence_InitType` describes the function as follows:
> void PyStructSequence_InitType(PyTypeObject *type, PyStructSequence_Desc *desc)
> Initializes a struct sequence type `type` from `desc` in place.
And most of the time it does just that.
However, when running under python compiled in debug mode, the body of the function will contain the following code at the very beginning:
```
if (type->ob_base.ob_base._ob_next) {
_Py_ForgetReference((PyObject*)type);
}
```
Since `type` here is a preallocated but an uninitialized piece of memory, it may contain garbage data that when interpreted as a "live" PyObject will result in memory corruption or process crash.
Thus, either the description for the `PyStructSequence_InitType` method has to document that the `type` object must be zeroed-out before being passed to the method, or the call to `_Py_ForgetReference` be removed.
----------
messages: 318523
nosy: Pasha Stetsenko
priority: normal
severity: normal
status: open
title: Unsafe memory access in PyStructSequence_InitType
type: crash
versions: Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33742>
_______________________________________
More information about the New-bugs-announce
mailing list