Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Out-of-bounds tuple access in BaseExceptionGroup_repr #146096

Copy link
Copy link
Closed
Closed
Out-of-bounds tuple access in BaseExceptionGroup_repr#146096
Copy link
Labels
3.15pre-release feature fixes, bugs and security fixespre-release feature fixes, bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dumpA hard crash of the interpreter, possibly with a core dump
@devdanzin

Description

@devdanzin
devdanzin
opened on Mar 18, 2026
Issue body actions

Crash report

What happened?

It's possible to segfault the interpreter by trying to call repr() on an ExceptionGroup which has had its args set to an empty tuple.

Automated diagnosis:

Bug: At line 1094 of exceptions.c, PyTuple_GET_ITEM(self->args, 1) accesses index 1 of self->args without checking the tuple size. Since args is writable from Python, setting it to an empty tuple causes an OOB read → segfault.

File: Objects/exceptions.c, line 1094

Full report

MRE:

eg = ExceptionGroup("msg", [ValueError()])
eg.args = ()
repr(eg)

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
BaseExceptionGroup_repr (op=0x7ffff759b260) at Objects/exceptions.c:1094
1094            if (PyList_Check(PyTuple_GET_ITEM(self->args, 1))) {
(gdb) bt
#0  BaseExceptionGroup_repr (op=0x7ffff759b260) at Objects/exceptions.c:1094
#1  0x0000555555728177 in PyObject_Repr (v=0x7ffff759b260) at Objects/object.c:782
#2  0x00005555557206b5 in cfunction_vectorcall_O (func=func@entry=0x7ffff75bf830, args=args@entry=0x7fffffffb608, nargsf=nargsf@entry=9223372036854775809, kwnames=kwnames@entry=0x0)
    at Objects/methodobject.c:536
#3  0x00005555556a2ebe in _PyObject_VectorcallTstate (tstate=0x555555d99c08 <_PyRuntime+360664>, callable=0x7ffff75bf830, args=0x7fffffffb608, nargsf=9223372036854775809, kwnames=0x0)
    at ./Include/internal/pycore_call.h:144
#4  0x000055555583f859 in _Py_VectorCallInstrumentation_StackRefSteal (callable=..., arguments=0x7ffff7fa7080, total_args=total_args@entry=1, kwnames=kwnames@entry=...,
    call_instrumentation=false, frame=frame@entry=0x7ffff7fa7020, this_instr=0x7ffff749814a, tstate=0x555555d99c08 <_PyRuntime+360664>) at Python/ceval.c:775
#5  0x000055555584a8e4 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555d99c08 <_PyRuntime+360664>, frame=<optimized out>, frame@entry=0x7ffff7fa7020, throwflag=throwflag@entry=0)
    at Python/generated_cases.c.h:1838
#6  0x000055555583f08b in _PyEval_EvalFrame (tstate=0x555555d99c08 <_PyRuntime+360664>, frame=0x7ffff7fa7020, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#7  _PyEval_Vector (tstate=tstate@entry=0x555555d99c08 <_PyRuntime+360664>, func=func@entry=0x7ffff7466690, locals=locals@entry=0x7ffff746a4b0, args=args@entry=0x0,
    argcount=argcount@entry=0, kwnames=kwnames@entry=0x0) at Python/ceval.c:2130
#8  0x000055555583ee1e in PyEval_EvalCode (co=co@entry=0x7ffff7498040, globals=globals@entry=0x7ffff746a4b0, locals=locals@entry=0x7ffff746a4b0) at Python/ceval.c:686
#9  0x00005555559c8f8e in run_eval_code_obj (tstate=0x555555d99c08 <_PyRuntime+360664>, co=co@entry=0x7ffff7498040, globals=globals@entry=0x7ffff746a4b0, locals=locals@entry=0x7ffff746a4b0)
    at Python/pythonrun.c:1368
#10 0x00005555559c8adb in run_mod (mod=mod@entry=0x555555f3d7d8, filename=filename@entry=0x7ffff74b2e40, globals=globals@entry=0x7ffff746a4b0, locals=locals@entry=0x7ffff746a4b0,
    flags=0x7fffffffc940, arena=arena@entry=0x7ffff74dad40, interactive_src=0x0, generate_new_source=0) at Python/pythonrun.c:1471

Found using cpython-review-toolkit with Claude Opus 4.6, using the /cpython-review-toolkit:explore Objects/exceptions.c all deep command.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.15.0a7+ (heads/main:e0f7c1097e1, Mar 17 2026, 18:10:52) [Clang 21.1.2 (2ubuntu6)]

Linked PRs

Reactions are currently unavailable

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.15pre-release feature fixes, bugs and security fixespre-release feature fixes, bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dumpA hard crash of the interpreter, possibly with a core dump

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.