ceval.c: positional_only_passed_as_keyword can be failed with segfault

Lines 1251 to 1285 in 4d8959b

    
           static int 
        
           positional_only_passed_as_keyword(PyThreadState *tstate, PyCodeObject *co, 
        
                                             Py_ssize_t kwcount, PyObject* kwnames, 
        
                                             PyObject *qualname) 
        
           { 
        
               int posonly_conflicts = 0; 
        
               PyObject* posonly_names = PyList_New(0); 
        
               for(int k=0; k < co->co_posonlyargcount; k++){ 
        
                   PyObject* posonly_name = PyTuple_GET_ITEM(co->co_localsplusnames, k); 
        
                   for (int k2=0; k2<kwcount; k2++){ 
        
                       /* Compare the pointers first and fallback to PyObject_RichCompareBool*/ 
        
                       PyObject* kwname = PyTuple_GET_ITEM(kwnames, k2); 
        
                       if (kwname == posonly_name){ 
        
                           if(PyList_Append(posonly_names, kwname) != 0) { 
        
                               goto fail; 
        
                           } 
        
                           posonly_conflicts++; 
        
                           continue; 
        
                       } 
        
                       int cmp = PyObject_RichCompareBool(posonly_name, kwname, Py_EQ); 
        
                       if ( cmp > 0) { 
        
                           if(PyList_Append(posonly_names, kwname) != 0) { 
        
                               goto fail; 
        
                           } 
        
                           posonly_conflicts++; 
        
                       } else if (cmp < 0) { 
        
                           goto fail; 
        
                       } 
        
                   } 
        
               }

This implemention doesn't take in account case when PyList_New returns NULL.
If PyList_New(0) returns a NULL, PyList_Append will be failed with segfault, cause of Py_TYPE, which will try to reach out ob_type. of (PyObject *) NULL.
This hard to reproduce, because the only way PyList_New can error, if it is runs out of memory, but theoretically it can happen.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

ceval.c: `positional_only_passed_as_keyword` can be failed with segfault #101967

Linked PRs

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

	static int
	positional_only_passed_as_keyword(PyThreadState tstate, PyCodeObject co,
	Py_ssize_t kwcount, PyObject* kwnames,
	PyObject *qualname)
	{
	int posonly_conflicts = 0;
	PyObject* posonly_names = PyList_New(0);

	for(int k=0; k < co->co_posonlyargcount; k++){
	PyObject* posonly_name = PyTuple_GET_ITEM(co->co_localsplusnames, k);

	for (int k2=0; k2<kwcount; k2++){
	/* Compare the pointers first and fallback to PyObject_RichCompareBool*/
	PyObject* kwname = PyTuple_GET_ITEM(kwnames, k2);
	if (kwname == posonly_name){
	if(PyList_Append(posonly_names, kwname) != 0) {
	goto fail;
	}
	posonly_conflicts++;
	continue;
	}

	int cmp = PyObject_RichCompareBool(posonly_name, kwname, Py_EQ);

	if ( cmp > 0) {
	if(PyList_Append(posonly_names, kwname) != 0) {
	goto fail;
	}
	posonly_conflicts++;
	} else if (cmp < 0) {
	goto fail;
	}

	}
	}

Search code, repositories, users, issues, pull requests...

Uh oh!

ceval.c: positional_only_passed_as_keyword can be failed with segfault #101967

Description

Linked PRs

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

ceval.c: `positional_only_passed_as_keyword` can be failed with segfault #101967