[issue41995] five possible Null Pointer Dereference bugs.

Sat, 10 Oct 2020 04:50:34 -0700 


New submission from brightest star <brightest3...@gmail.com>:

Hello everyone,

I have found five Null Pointer Dereference bugs in recent master branch.
Although it's impact could be slightly, i think it is better to fix it.

Bug 1:
In the file ; ./Modules/_tracemalloc.c:
static int
tracemalloc_copy_trace(_Py_hashtable_t *traces,
                       const void *key, const void *value,
                       void *user_data)
{
        _Py_hashtable_t *traces2 = (_Py_hashtable_t *)user_data;

        trace_t *trace = (trace_t *)value;

1201:    trace_t *trace2 = raw_malloc(sizeof(trace_t));
1202:    if (traces2 == NULL) {  <-----
            return -1;
        }
1205:   *trace2 = *trace;
        ...
        return 0;
}
At line 1201, we malloc a varible 'trace2' and then we should check whether the 
varible 'trace2' is NULL. But it checks 'traces2'(not 'trace2') in line 1202. 
The varible 'trace2' still could be NULL.I think it is a spelling mistake.

Bug 2 and 3:
In the file :Modules/_zoneinfo.c

static int
load_data(PyZoneInfo_ZoneInfo *self, PyObject *file_obj)
{
        ...
908:     self->trans_list_utc =
        PyMem_Malloc(self->num_transitions * sizeof(int64_t));
910:    trans_idx = PyMem_Malloc(self->num_transitions * sizeof(Py_ssize_t));
        ...
}
Line 908 alloc a memory to 'self->trans_list_utc' and line 910 alloc a memory 
to 'trans_idx'. But the paramters passed to PyMem_Malloc are not fixed,it means 
that we possible could control the size to malloc. If we pass a big size to 
PyMem_Malloc, it will return NULL.
So,we should add some checks for 'self->trans_list_utc' and 'trans_idx',such as 
    if (self->trans_list_utc == NULL) {
        goto error;
    }

Bug 4 and 5:
In the file :Modules/_zoneinfo.c

The problem same to bug 3 and 4.
line 991:    self->_ttinfos = PyMem_Malloc(self->num_ttinfos * sizeof(_ttinfo));
line 1005:   self->trans_ttinfos =
        PyMem_Calloc(self->num_transitions, sizeof(_ttinfo *));

We should add some checks below these lines.

----------
components: Extension Modules
messages: 378385
nosy: brightest3379
priority: normal
severity: normal
status: open
title: five possible Null Pointer Dereference bugs.
type: behavior
versions: Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue41995>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to