ctypes: segfault with large POINTER type names

[meadori]

BPO	13096
Nosy	@amauryfa, @abalkin, @vstinner, @bitdancer, @meadori, @stratakis
PRs	[2.7] bpo-13096: Fix partial backport of issue 13096. #12100
Files	issue13096.patch: Patch against tip (3.3.0a0)

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/meadori'
closed_at = <Date 2014-10-12.18:27:40.933>
created_at = <Date 2011-10-04.03:47:38.499>
labels = ['extension-modules', 'ctypes', 'type-crash']
title = 'ctypes: segfault with large POINTER type names'
updated_at = <Date 2019-03-04.15:40:28.826>
user = 'https://github.com/meadori'

bugs.python.org fields:

activity = <Date 2019-03-04.15:40:28.826>
actor = 'vstinner'
assignee = 'meador.inge'
closed = True
closed_date = <Date 2014-10-12.18:27:40.933>
closer = 'r.david.murray'
components = ['Extension Modules', 'ctypes']
creation = <Date 2011-10-04.03:47:38.499>
creator = 'meador.inge'
dependencies = []
files = ['23800']
hgrepos = []
issue_num = 13096
keywords = ['patch', 'needs review']
message_count = 11.0
messages = ['144850', '144851', '145257', '145258', '148539', '217341', '217367', '229186', '229187', '336858', '337132']
nosy_count = 9.0
nosy_names = ['amaury.forgeotdarc', 'belopolsky', 'vstinner', 'r.david.murray', 'jesstess', 'meador.inge', 'bbrazil', 'python-dev', 'cstratak']
pr_nums = ['12100']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue13096'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5']

[meadori]

Reproducible in 2.7 and tip:

[meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:61de28fa5537+d05350c14e77+, Oct  3 2011, 21:47:04) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> T = type('x' * 2 ** 25, (Structure,), {})
>>> p = POINTER(T)
Segmentation fault (core dumped)

[meadori]

There is similar crasher to this one that can be reproduced like:

[meadori@motherbrain cpython]$ ./python 
Python 3.3.0a0 (default:61de28fa5537+d05350c14e77+, Oct  3 2011, 21:47:04) 
[GCC 4.6.0 20110603 (Red Hat 4.6.0-10)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ctypes import *
>>> p = POINTER('x' * 2 ** 25)
Segmentation fault (core dumped)

It should be fixed as well.

[bbrazil]

The problem is around line 1734 of callproc.c in tip:

} else if (PyType_Check(cls)) {
    typ = (PyTypeObject *)cls;
    buf = alloca(strlen(typ->tp_name) + 3 + 1);
    sprintf(buf, "LP_%s", typ->tp_name);   <-- segfault is here

Replacing the alloca with a malloc fixes it, so I presume it's hitting the stack size limit as 2^25 is 32MB (my stack limit is 8MB).

[meadori]

Yup, it is the 'alloca' call. This issue and bpo-13097 are both
'alloca' related as mentioned in bpo-12881.

[meadori]

Here is a small patch against tip. OK?

[jesstess]

Thanks for the report and patch, meador.inge.

I'd prefer not to add more globals that are only used in one place, but doing so is consistent with the existing style of test_pointers.py, and there's plenty in this file that could be cleaned up in another ticket.

• The patch passes make patchcheck.
• The full test suite passes with this patch.
• The reproducers in this issue segfault for me without this patch and do not segfault with this patch.

lgtm!

=> commit review

[meadori]

Thanks for the review and reminder about this issue, jesstess. I will apply the patch later today.

[python-dev]

New changeset e940bb13d010 by R David Murray in branch '3.4':
bpo-13096: Fix segfault in CTypes POINTER handling of large values.
https://hg.python.org/cpython/rev/e940bb13d010

New changeset 02c9c3204a04 by R David Murray in branch 'default':
Merge: bpo-13096: Fix segfault in CTypes POINTER handling of large values.
https://hg.python.org/cpython/rev/02c9c3204a04

New changeset ff59b0f9e142 by R David Murray in branch '2.7':
bpo-13096: Fix segfault in CTypes POINTER handling of large values.
https://hg.python.org/cpython/rev/ff59b0f9e142

[bitdancer]

Committed.

[stratakis]

It seems the python2 backport was incomplete as a PyMem_Free is missing, making buf leak.

[vstinner]

New changeset 710dcfd by Victor Stinner (stratakis) in branch '2.7':
[2.7] bpo-13096: Fix memory leak in ctypes POINTER handling of large values (GH-12100)
710dcfd