_struct : NULL Pointer Dereference in Struct.__sizeof__() #145623
Description
Bug report
Bug description:
When Struct.__new__() is called without __init__(), s_codes is NULL. Struct___sizeof___impl() does NOT use ENSURE_STRUCT_IS_READY() and directly dereferences s_codes in the for loop, causing a NULL pointer
dereference (SIGSEGV).
Modules/ _struct.c:2378 (Struct___sizeof___impl)
for (formatcode *code = self->s_codes; code->fmtdef != NULL; code++)import _struct
# Create a Struct object without calling __init__
# s_new sets: s_codes = NULL, s_format = Py_None
s = _struct.Struct.__new__(_struct.Struct)
# __sizeof__ dereferences s_codes without NULL check
# This triggers: SIGSEGV / AddressSanitizer: SEGV on unknown address 0x000000000000
s.__sizeof__()ASAN
AddressSanitizer:DEADLYSIGNAL
=================================================================
==287432==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc7e53eff58 bp 0x7ffe4b757660 sp 0x7ffe4b757660 T0)
==287432==The signal is caused by a READ memory access.
==287432==Hint: address points to the zero page.
#0 0x7fc7e53eff58 in Struct___sizeof___impl ../Modules/_struct.c:2386
#1 0x7fc7e53eff79 in Struct___sizeof__ ../Modules/clinic/_struct.c.h:328
#2 0x5e0e191deba1 in method_vectorcall_NOARGS ../Objects/descrobject.c:448
#3 0x5e0e191beccc in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:136
#4 0x5e0e191bedbf in PyObject_Vectorcall ../Objects/call.c:327
#5 0x5e0e1943dcf7 in _Py_VectorCallInstrumentation_StackRefSteal ../Python/ceval.c:769
#6 0x5e0e1944dcbb in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1817
#7 0x5e0e19484f30 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:118
#8 0x5e0e19485296 in _PyEval_Vector ../Python/ceval.c:2132
#9 0x5e0e1948554c in PyEval_EvalCode ../Python/ceval.c:680
#10 0x5e0e19588d31 in run_eval_code_obj ../Python/pythonrun.c:1366
#11 0x5e0e19589077 in run_mod ../Python/pythonrun.c:1469
#12 0x5e0e19589fac in pyrun_file ../Python/pythonrun.c:1294
#13 0x5e0e1958cde2 in _PyRun_SimpleFileObject ../Python/pythonrun.c:518
#14 0x5e0e1958d08e in _PyRun_AnyFileObject ../Python/pythonrun.c:81
#15 0x5e0e195e26b6 in pymain_run_file_obj ../Modules/main.c:410
#16 0x5e0e195e2923 in pymain_run_file ../Modules/main.c:429
#17 0x5e0e195e4121 in pymain_run_python ../Modules/main.c:691
#18 0x5e0e195e47b7 in Py_RunMain ../Modules/main.c:772
#19 0x5e0e195e49a3 in pymain_main ../Modules/main.c:802
#20 0x5e0e195e4d28 in Py_BytesMain ../Modules/main.c:826
#21 0x5e0e19049675 in main ../Programs/python.c:15
#22 0x7fc7e5c2a3b7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#23 0x7fc7e5c2a47a in __libc_start_main_impl ../csu/libc-start.c:360
#24 0x5e0e190495a4 in _start (/home/raminfp/Projects/cpython/build-asan/python+0x2ee5a4) (BuildId: b6692a1e94ed1222fac0cb716d806843accd7c52)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../Modules/_struct.c:2386 in Struct___sizeof___impl
==287432==ABORTINGFix
2374 Struct___sizeof___impl(PyStructObject *self)
2375 /*[clinic end generated code: output=2d0d78900b4cdb4e input=faca5925c1f1ffd0]*/
2376 {
2377 + ENSURE_STRUCT_IS_READY(self);
2378 size_t size = _PyObject_SIZE(Py_TYPE(self)) + sizeof(formatcode);
2379 for (formatcode *code = self->s_codes; code->fmtdef != NULL; code++) {
2380 size += sizeof(formatcode);
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux