Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_sre.template crashes in case of negative or non-integer group index #106524

Closed
chgnrdv opened this issue Jul 7, 2023 · 2 comments · Fixed by #106525
Closed

_sre.template crashes in case of negative or non-integer group index #106524

chgnrdv opened this issue Jul 7, 2023 · 2 comments · Fixed by #106525
Labels
topic-regex type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@chgnrdv
Copy link
Contributor

chgnrdv commented Jul 7, 2023
edited by bedevere-bot

_sre.template crashes if template argument contains group index that is negative or not an int instance.
Examples:

>>> import _sre
>>> _sre.template("", ["", -1, ""])
Segmentation fault (core dumped)
>>> _sre.template("", ["", (), ""])
Segmentation fault (core dumped)

In _sre_template_impl part of self->items remains uninitialized if call to PyLong_AsSsize_t returns negative value or fails with exception. Then attempt to clear self->items[i].literal in template_clear leads to dereferencing of uninitialized pointer.

Not sure if this worth fixing, since _sre.template is an internal implementation detail that is used only in _compile_template function, where it accepts only (I guess) correct templates created in _parser.parse_template function, and additional checks/initialization can affect its performance. But I'll submit a PR anyway.

Linked PRs
@chgnrdv chgnrdv added the type-crash A hard crash of the interpreter, possibly with a core dump label Jul 7, 2023
chgnrdv added a commit to chgnrdv/cpython that referenced this issue Jul 7, 2023
@chgnrdv
pythongh-106524: Zero template items before initializing them in _sre…
816432c 
….template

* made `_sre_template_impl` set items of 'self->items' array to zero before initializing them with group indices and literals
* added test
@chgnrdv chgnrdv mentioned this issue Jul 7, 2023
Merged
@terryjreedy
Copy link
Member

In Windows with 3.12.0b3 installed, I just get 'TypeError: invalid template'

@chgnrdv
Copy link
Contributor Author

chgnrdv commented Jul 7, 2023

@terryjreedy, sorry, I should have mentioned that Python needs to be build in debug mode, or with ASAN enabled.

serhiy-storchaka pushed a commit that referenced this issue Jul 8, 2023
@chgnrdv
gh-106524: Fix a crash in _sre.template() (GH-106525)
2ef1dc3 
Some items remained uninitialized if _sre.template() was called with invalid
indices. Then attempt to clear them in the destructor led to dereferencing
of uninitialized pointer.
@bedevere-bot bedevere-bot mentioned this issue Jul 8, 2023
Merged
serhiy-storchaka pushed a commit that referenced this issue Jul 8, 2023
@miss-islington @chgnrdv
[3.12] gh-106524: Fix a crash in _sre.template() (GH-106525) (GH-106544)
8fdb058 
Some items remained uninitialized if _sre.template() was called with invalid
indices. Then attempt to clear them in the destructor led to dereferencing
of uninitialized pointer.
(cherry picked from commit 2ef1dc3)

Co-authored-by: Radislav Chugunov <52372310+chgnrdv@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic-regex type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-106524: Zero template items before initializing them in _sre.template chgnrdv/cpython
3 participants
@terryjreedy @chgnrdv @AlexWaygood