You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The function _PyUnicodeWriter_WriteASCIIString in Objects/unicodeobject.c (or Objects/unicode_writer.c in some versions) contains a potential Undefined Behavior. When len is 0 and ascii is NULL, it calls memcpy with a NULL source pointer.
According to the C standard, passing NULL to memcpy is undefined even if the count is zero.
Proof of Concept
Clang's UndefinedBehaviorSanitizer (UBSan) reports: ../Objects/unicode_writer.c:494:36: runtime error: null pointer passed as argument 2, which is declared to never be null
This happens in the following block:
casePyUnicode_1BYTE_KIND:
{
constPy_UCS1*str= (constPy_UCS1*)ascii;
Py_UCS1*data=writer->data;
memcpy(data+writer->pos, str, len); // <--- UB if str is NULL and len is 0break;
}
Mitigation
The function should return early if len == 0. This is a common pattern in CPython to avoid unnecessary work and prevent UB with memory functions.
if (len==-1)
len=strlen(ascii);
if (len==0)
return0;
Bug report
Bug description:
The function
_PyUnicodeWriter_WriteASCIIStringinObjects/unicodeobject.c(orObjects/unicode_writer.cin some versions) contains a potential Undefined Behavior. Whenlenis 0 andasciiisNULL, it callsmemcpywith aNULLsource pointer.According to the C standard, passing
NULLtomemcpyis undefined even if the count is zero.Proof of Concept
Clang's UndefinedBehaviorSanitizer (UBSan) reports:
../Objects/unicode_writer.c:494:36: runtime error: null pointer passed as argument 2, which is declared to never be nullThis happens in the following block:
Mitigation
The function should return early if
len == 0. This is a common pattern in CPython to avoid unnecessary work and prevent UB with memory functions.CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs