New submission from Jelle Zijlstra <jelle.zijls...@gmail.com>:
Inspired by Guido's comment in https://github.com/python/cpython/pull/31834/files#r825352900, I found that there are some places in bytearrayobject.c where we can write to free'd memory if we encounter an object with a sneaky __index__ method: $ cat basneak.py ba = bytearray([0 for _ in range(10000)]) class sneaky: def __index__(self): ba.clear() return 1 ba[-1] = sneaky() $ valgrind ./python basneak.py ==87894== Memcheck, a memory error detector ==87894== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==87894== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==87894== Command: ./python basneak.py ==87894== ==87894== Invalid write of size 1 ==87894== at 0x49B70F: bytearray_ass_subscript (bytearrayobject.c:632) ==87894== by 0x488E03: PyObject_SetItem (abstract.c:211) <snip> In bytearray_setitem(), we first do bounds checking, and then call _getbytevalue() to get the numeric value of the argument. I think there's a similar bug in bytearray_ass_subscript(). ---------- messages: 415021 nosy: JelleZijlstra, gvanrossum priority: normal severity: normal status: open title: Invalid memory write in bytearray _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue46997> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
