Open
Description
Crash report
What happened?
It's possible to crash Python by passing an invalid className to _tkinter.create, for example:
import _tkinter
_tkinter.create(None, '', '\U0010FFFF', None)Or, using tkinter.Tk (repro thanks to @graingert and @JelleZijlstra):
% ./python.exe
Python 3.14.0a0 experimental free-threading build (heads/gh-125331:c315120a535, Oct 30 2024, 11:22:31) [Clang 15.0.0 (clang-1500.3.9.4)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import tkinter
... tkinter.Tk(screenName=None, baseName='', className='\U0010FFFF')
...
zsh: segmentation fault ./python.exeBacktrace looks like:
#0 0x00007ffff77bab5b in Tcl_UtfToUniChar () from /lib/x86_64-linux-gnu/libtcl8.6.so
#1 0x00007ffff77bc993 in ?? () from /lib/x86_64-linux-gnu/libtcl8.6.so
#2 0x00007ffff77bb795 in Tcl_UtfToTitle () from /lib/x86_64-linux-gnu/libtcl8.6.so
#3 0x00007ffff78b5083 in ?? () from /lib/x86_64-linux-gnu/libtk8.6.so
#4 0x00007ffff79dcf9d in Tcl_AppInit (interp=0x555555e14860) at ./Modules/tkappinit.c:40
#5 0x00007ffff79d92b4 in Tkapp_New (screenName=screenName@entry=0x0,
className=className@entry=0x7ffff7c2c1c0 "\364\217\277\277", interactive=interactive@entry=0,
wantobjects=wantobjects@entry=0, wantTk=wantTk@entry=1, sync=sync@entry=0, use=0x0)
at ./Modules/_tkinter.c:730
#6 0x00007ffff79d953f in _tkinter_create_impl (module=module@entry=<module at remote 0x7ffff7ab9eb0>,
screenName=screenName@entry=0x0, baseName=baseName@entry=0x555555c77ef0 <_PyRuntime+51344> "",
className=className@entry=0x7ffff7c2c1c0 "\364\217\277\277", interactive=interactive@entry=0,
wantobjects=wantobjects@entry=0, wantTk=1, sync=0, use=0x0) at ./Modules/_tkinter.c:3176
#7 0x00007ffff79d99c6 in _tkinter_create (module=<module at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
nargs=<optimized out>) at ./Modules/clinic/_tkinter.c.h:820
#8 0x00005555556f18b0 in cfunction_vectorcall_FASTCALL (
func=<built-in method create of module object at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
nargsf=<optimized out>, kwnames=<optimized out>) at Objects/methodobject.c:436
#9 0x000055555567ba55 in _PyObject_VectorcallTstate (tstate=0x555555cbbc70 <_PyRuntime+329232>,
callable=<built-in method create of module object at remote 0x7ffff7ab9eb0>, args=0x7ffff7fb0080,
nargsf=9223372036854775812, kwnames=0x0) at ./Include/internal/pycore_call.h:167Found using fusil by @vstinner.
CPython versions tested on:
3.12, 3.14, CPython main branch
Operating systems tested on:
Linux, macOS, Windows
Output from running 'python -VV' on the command line:
Python 3.14.0a1+ (heads/main:d467d9246c, Oct 30 2024, 22:52:43) [GCC 11.4.0]
Metadata
Metadata
Assignees
Labels
only security fixesonly security fixesbugs and security fixesbugs and security fixesbugs and security fixesbugs and security fixesC modules in the Modules dirC modules in the Modules dirA hard crash of the interpreter, possibly with a core dumpA hard crash of the interpreter, possibly with a core dump