1.5rc1: Calling figure transform with wrong argument crashs python

[Tillsten]

Following lead to a interpreter crash:

import matplotlib.pyplot as plt
fig = plt.figure()
#Just just give an exception
fig.transFigure.transform(1)

Windows 10, 64 bit, 2.7

[tacaswell]

Segfaults on linux as well.

That is exciting!

attn @mdboom

[cgohlke]

The crash is at https://github.com/matplotlib/matplotlib/blob/master/src/numpy_cpp.h#L471, when m_shape==NULL.

This does not crash:

diff --git a/src/numpy_cpp.h b/src/numpy_cpp.h
index 10ae68c..c961e25 100644
--- a/src/numpy_cpp.h
+++ b/src/numpy_cpp.h
@@ -465,7 +465,7 @@ class array_view : public detail::array_view_accessors<array_view, T, ND>

     npy_intp dim(size_t i) const
     {
-        if (i > ND) {
+        if ((i > ND) || (m_shape == NULL)) {
             return 0;
         }
         return m_shape[i];

[jkseppan]

I don't think array_view is supposed to have m_shape == NULL. The code tries to assign a zeros array to m_shape when the view is uninitialized. I suspect one of the constructors is not doing sufficient checking of numpy return values.

[jkseppan]

The zero-data branch sets m_shape correctly but then falls through to the code below, which sets m_shape to the return value of PyArray_DIMS, which seems to be NULL for numpy scalars. I'm working on a patch.

[jkseppan]

Patch in #5106.

[cgohlke]

Even if m_shape != NULL shouldn't the dim function read if (i >= ND) { instead of if (i > ND) {?

[jkseppan]

@cgohlke is right, that looks like a bug even if it wasn't the cause of this crash.

[jkseppan]

In many cases m_shape gets initialized to zeros, which is a static array of three numbers. That looks bad too, although I imagine all uses of this class are for at most three dimensions.

[jkseppan]

Oh, I suppose since array_view_accessors is only instantiated for ND less than 4, it should be impossible to instantiate array_view<T, 4>.