New submission from brightest star <brightest3...@gmail.com>:
Hello everyone, I have found five Null Pointer Dereference bugs in recent master branch. Although it's impact could be slightly, i think it is better to fix it. Bug 1: In the file ; ./Modules/_tracemalloc.c: static int tracemalloc_copy_trace(_Py_hashtable_t *traces, const void *key, const void *value, void *user_data) { _Py_hashtable_t *traces2 = (_Py_hashtable_t *)user_data; trace_t *trace = (trace_t *)value; 1201: trace_t *trace2 = raw_malloc(sizeof(trace_t)); 1202: if (traces2 == NULL) { <----- return -1; } 1205: *trace2 = *trace; ... return 0; } At line 1201, we malloc a varible 'trace2' and then we should check whether the varible 'trace2' is NULL. But it checks 'traces2'(not 'trace2') in line 1202. The varible 'trace2' still could be NULL.I think it is a spelling mistake. Bug 2 and 3: In the file :Modules/_zoneinfo.c static int load_data(PyZoneInfo_ZoneInfo *self, PyObject *file_obj) { ... 908: self->trans_list_utc = PyMem_Malloc(self->num_transitions * sizeof(int64_t)); 910: trans_idx = PyMem_Malloc(self->num_transitions * sizeof(Py_ssize_t)); ... } Line 908 alloc a memory to 'self->trans_list_utc' and line 910 alloc a memory to 'trans_idx'. But the paramters passed to PyMem_Malloc are not fixed,it means that we possible could control the size to malloc. If we pass a big size to PyMem_Malloc, it will return NULL. So,we should add some checks for 'self->trans_list_utc' and 'trans_idx',such as if (self->trans_list_utc == NULL) { goto error; } Bug 4 and 5: In the file :Modules/_zoneinfo.c The problem same to bug 3 and 4. line 991: self->_ttinfos = PyMem_Malloc(self->num_ttinfos * sizeof(_ttinfo)); line 1005: self->trans_ttinfos = PyMem_Calloc(self->num_transitions, sizeof(_ttinfo *)); We should add some checks below these lines. ---------- components: Extension Modules messages: 378385 nosy: brightest3379 priority: normal severity: normal status: open title: five possible Null Pointer Dereference bugs. type: behavior versions: Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41995> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com