[issue40020] growable_comment_array_add leaks, causes crash

Thu, 19 Mar 2020 17:59:15 -0700 


New submission from Alexander Riccio <test35...@gmail.com>:

growable_comment_array_add in parsetok.c incorrectly uses realloc, which leaks 
the array when allocation fails, and then causes a null pointer deref crash 
later when the array is freed in growable_comment_array_deallocate (the array 
pointer is dereferenced, passing null to free is fine).

It's unlikely that this codepath is reached in normal use, since type comments 
need to be turned on (via the PyCF_TYPE_COMMENTS compiler flag), but I've 
managed to replicate the issue by injecting faults with Application Verifier. 
It's easiest to cause it to fail with a very large number of type comments, but 
presumably this could also happen with some form of heap fragmentation.

The buggy code is:

static int
growable_comment_array_add(growable_comment_array *arr, int lineno, char 
*comment) {
    if (arr->num_items >= arr->size) {
        arr->size *= 2;
        arr->items = realloc(arr->items, arr->size * sizeof(*arr->items));
        if (!arr->items) {
            return 0;
        }
    }

    arr->items[arr->num_items].lineno = lineno;
    arr->items[arr->num_items].comment = comment;
    arr->num_items++;
    return 1;
}


and the correct code would be something like:

static int
growable_comment_array_add(growable_comment_array *arr, int lineno, char 
*comment) {
    if (arr->num_items >= arr->size) {
        arr->size *= 2;
        void* new_items_array = realloc(arr->items, arr->size * 
sizeof(*arr->items));
        if (!new_items_array) {
            return 0;
        }
        arr->items = new_items_array;
    }

    arr->items[arr->num_items].lineno = lineno;
    arr->items[arr->num_items].comment = comment;
    arr->num_items++;
    return 1;
}

----------
components: Interpreter Core
messages: 364644
nosy: Alexander Riccio, benjamin.peterson
priority: normal
severity: normal
status: open
title: growable_comment_array_add leaks, causes crash
type: crash
versions: Python 3.9

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue40020>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to