-
-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap corruption while parsing huge comment #99581
Comments
Thanks for the report. This is a backtrace I got from gdb for 3.11:
I think it might be particular to running a file directly, i.e., The patch below stopped the error, but I'm assuming it would be better to find the actual source of the buffer overflow. diff --git a/Parser/tokenizer.c b/Parser/tokenizer.c
index a5cfb659b4..2d23e5aa09 100644
--- a/Parser/tokenizer.c
+++ b/Parser/tokenizer.c
@@ -359,7 +359,7 @@ tok_reserve_buf(struct tok_state *tok, Py_ssize_t size)
Py_ssize_t start = tok->start == NULL ? -1 : tok->start - tok->buf;
Py_ssize_t line_start = tok->start == NULL ? -1 : tok->line_start - tok->buf;
Py_ssize_t multi_line_start = tok->multi_line_start - tok->buf;
- newbuf = (char *)PyMem_Realloc(newbuf, newsize);
+ newbuf = (char *)PyMem_Realloc(newbuf, newsize + 1);
if (newbuf == NULL) {
tok->done = E_NOMEM;
return 0; From adding Line 1005 in 858cb79
cc @pablogsal or @lysnikolaou |
Will try to take a look this night or tomorrow 👍 |
Awesome :> |
Valgrind complains here:
|
The problem is that we are assuming that we can happily add a |
There are still some mysteries because we are supposedly allocating for that. Some assumption somewhere is wrong |
I will make a PR as soon as I get a better understanding on how the problem is being triggered |
…ines that fill the available buffer
…ines that fill the available buffer Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
…ines that fill the available buffer Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
…ines that fill the available buffer Signed-off-by: Pablo Galindo <pablogsal@gmail.com>
…hat fill the available buffer (#99605)
…pying lines that fill the available buffer (pythonGH-99605) (cherry picked from commit e13d1d9) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
…ines that fill the available buffer (pythonGH-99605) (cherry picked from commit e13d1d9) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
…pying lines that fill the available buffer (pythonGH-99605). (cherry picked from commit e13d1d9) Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Thanks everyone, looks like this has been fixed! |
Crash report
A very large comment in heapcrpt.py causes
tokenizer.c
to perform an illegal write, leading to heap corruption and crashing the interpreterError messages
Linux/glibc:
double free or corruption (!prev)
Windows:
0xc0000374
in event viewerYour environment
Reproduced on cpython 3.10.0, 3.10.8, 3.12.0a2
Reproduced on fedora 35 (x64), windows 10 (x64, 17763.316)
Not reproduced on cpython 3.9.15
Not visibly reproduced on macos 10.13
Linked PRs
The text was updated successfully, but these errors were encountered: