Issue 30640: NULL + 1 in _PyFunction_FastCallDict(), PyEval_EvalCodeEx() (original) (raw)

Created on 2017-06-12 14:37 by serhiy.storchaka, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 2919 merged ZackerySpytz,2017-07-27 16:25
PR 2964 merged ZackerySpytz,2017-07-31 21:41
Messages (7)
msg295786 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-12 14:37
In _PyFunction_FastCallDict() if nk == 0, k is set to NULL. After that k + 1 is passed to _PyEval_EvalCodeWithName(). NULL + 1 is an undefined behavior.
msg295788 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-06-12 14:41
Can you please show me the line doing NULL+1? I don't see it. Or do you mean the "k + 1" with k=NULL? _PyEval_EvalCodeWithName() ignores kwnames and kwargs when kwcount is zero. So I don't think that the value of NULL+1 matters here :-)
msg295794 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-06-12 15:11
Yes, I mean the "k + 1" with k=NULL. Even if _PyEval_EvalCodeWithName() ignores that value, this still is an undefined behavior. For example the compiler can decide that since NULL+1 is not valid, then k never is NULL, and ignore the branch that sets k to NULL. It can also not generate the code in _PyEval_EvalCodeWithName() for handling the case kwcount == 0.
msg299538 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2017-07-31 05:39
As mentioned in PR 2919, this is an issue in PyEval_EvalCodeEx() as well.
msg299556 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-07-31 14:24
New changeset c6ea8974e2d939223bfd6d64ee13ec89c090d2e0 by Serhiy Storchaka (Zackery Spytz) in branch 'master': bpo-30640: Fix undefined behavior in _PyFunction_FastCallDict() and PyEval_EvalCodeEx() (#2919) https://github.com/python/cpython/commit/c6ea8974e2d939223bfd6d64ee13ec89c090d2e0
msg301663 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-09-08 01:17
New changeset f032e9237aa7d43d21e0b04d685c36bddf7078c1 by Victor Stinner (Zackery Spytz) in branch '3.6': [3.6] bpo-30640: Fix undefined behavior in _PyFunction_FastCallDict() and PyEval_EvalCodeEx() (GH-2919) (#2964) https://github.com/python/cpython/commit/f032e9237aa7d43d21e0b04d685c36bddf7078c1
msg301664 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-09-08 01:19
It's now fixed in Python 3.6 and master (3.7). FYI this issue was also detected by Coverity as CID 1415964.
History
Date User Action Args
2022-04-11 14:58:47 admin set github: 74825
2017-09-08 01:19:03 vstinner set status: open -> closedresolution: fixedmessages: + stage: resolved
2017-09-08 01:17:40 vstinner set messages: +
2017-07-31 21:41:05 ZackerySpytz set pull_requests: + <pull%5Frequest3011>
2017-07-31 14:24:43 serhiy.storchaka set messages: +
2017-07-31 05:39:16 ZackerySpytz set nosy: + ZackerySpytzmessages: + title: NULL + 1 in _PyFunction_FastCallDict() -> NULL + 1 in _PyFunction_FastCallDict(), PyEval_EvalCodeEx()
2017-07-27 16:25:14 ZackerySpytz set pull_requests: + <pull%5Frequest2972>
2017-06-12 15:11:32 serhiy.storchaka set messages: +
2017-06-12 14:41:53 vstinner set messages: +
2017-06-12 14:38:39 vstinner set title: NULL + 1 -> NULL + 1 in _PyFunction_FastCallDict()
2017-06-12 14:37:59 serhiy.storchaka create