Skip to content

gh-91153: Fix bytearray holding a reference to its internal buffer when calling into potentially mutating __index__ methods #132379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jul 12, 2025
Merged

gh-91153: Fix bytearray holding a reference to its internal buffer when calling into potentially mutating __index__ methods #132379

merged 9 commits into from
Jul 12, 2025
+42 −2

Conversation

bast0006
Copy link
Contributor

@bast0006 bast0006 commented Apr 10, 2025
edited by bedevere-app bot
Loading

bytearray's __setitem__ implementation currently grabs a reference to its internal buffer before calling _getbyvalue to determine the index that needs assignment. _getbyvalue can call into arbitrary python code via __index__ dunders, which could alter the internal buffer and leave said reference dangling.

A prior fix for this issue ensures that bounds checking occurs after _getbyvalue is called. However, python code is capable of resizing the bytearray, resulting in limited but still broken behavior.

This patch ensures that the reference to the internal buffer is fetched only after _getbyvalue is called to prevent it from being held while any python code is run.

@python-cla-bot
Copy link

python-cla-bot bot commented Apr 10, 2025
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app
Copy link

bedevere-app bot commented Apr 10, 2025

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@bedevere-app bedevere-app bot mentioned this pull request Apr 10, 2025
Closed
@bast0006
Copy link
Contributor Author

bast0006 commented Apr 10, 2025
edited
Loading

I've signed the CLA. Let me know if a NEWS entry is required. I'm not sure it is, especially since there was already a previous change that this is a fix to.

@picnixz picnixz self-requested a review May 17, 2025 11:00
picnixz
picnixz reviewed May 17, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a NEWS entry please? It's still worth to mention that we fixed more crashes.

@bast0006
Copy link
Contributor Author

Done

@bast0006 bast0006 requested a review from picnixz May 17, 2025 23:25
ZeroIntensity
ZeroIntensity reviewed May 18, 2025
View reviewed changes
@ZeroIntensity ZeroIntensity added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels May 18, 2025
@bast0006 bast0006 force-pushed the bast0006/gh-91153 branch from 3c1de75 to d3d1974 Compare May 18, 2025 03:53
picnixz
picnixz reviewed Jun 2, 2025
View reviewed changes
@bast0006 @picnixz
pythonGH-91153: Fixup comments and NEWS entry
18e6597 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
ZeroIntensity
ZeroIntensity approved these changes Jun 3, 2025
View reviewed changes
Lib/test/test_bytes.py Outdated
@@ -1889,6 +1889,39 @@ def __index__(self):
with self.assertRaises(IndexError):
self._testlimitedcapi.sequence_setitem(b, 0, Boom())

def test_mutating_index_inbounds(self):
# See gh-91153
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a brief description of the issue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@bast0006 bast0006 force-pushed the bast0006/gh-91153 branch from 5853b5c to 50b7998 Compare June 3, 2025 20:53
@bast0006 bast0006 force-pushed the bast0006/gh-91153 branch from 50b7998 to 4b7ec9c Compare June 3, 2025 20:57
picnixz
picnixz approved these changes Jul 12, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 NITS and I'll merge.

@picnixz picnixz enabled auto-merge (squash) July 12, 2025 13:15
@picnixz picnixz merged commit 5e1e21d into python:main Jul 12, 2025
41 checks passed
@miss-islington-app
Copy link

Thanks @bast0006 for the PR, and @picnixz for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14.
🐍🍒⛏🤖

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Jul 12, 2025
@bast0006 @picnixz @miss-islington
pythongh-91153: prevent a crash in bytearray.__setitem__(ind, ...)
02aa323 
…when `ind.__index__` has side-effects (pythonGH-132379)

(cherry picked from commit 5e1e21dee35b8e9066692d08033bbbdb562e2c28)

Co-authored-by: Bast <52266665+bast0006@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@miss-islington-app
Copy link

Sorry, @bast0006 and @picnixz, I could not cleanly backport this to 3.13 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker 5e1e21dee35b8e9066692d08033bbbdb562e2c28 3.13

@bedevere-app
Copy link

bedevere-app bot commented Jul 12, 2025

GH-136581 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.14 bugs and security fixes label Jul 12, 2025
picnixz added a commit to picnixz/cpython that referenced this pull request Jul 12, 2025
@bast0006 @picnixz
[3.13] pythongh-91153: prevent a crash in `bytearray.__setitem__(ind,…
0e827aa 
… ...)` when `ind.__index__` has side-effects (pythonGH-132379)

(cherry picked from commit 5e1e21d)

Co-authored-by: Bast <52266665+bast0006@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@bedevere-app
Copy link

bedevere-app bot commented Jul 12, 2025

GH-136582 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app bot removed the needs backport to 3.13 bugs and security fixes label Jul 12, 2025
picnixz added a commit that referenced this pull request Jul 12, 2025
@picnixz @bast0006
[3.13] gh-91153: prevent a crash in bytearray.__setitem__(ind, ...)
360540f 
… when `ind.__index__` has side-effects (GH-132379) (#136582)

(cherry picked from commit 5e1e21d)

Co-authored-by: Bast <52266665+bast0006@users.noreply.github.com>
picnixz added a commit that referenced this pull request Jul 12, 2025
@miss-islington @bast0006 @picnixz
[3.14] gh-91153: prevent a crash in bytearray.__setitem__(ind, ...)
d5866a8 
… when `ind.__index__` has side-effects (GH-132379) (#136581)

gh-91153: prevent a crash in `bytearray.__setitem__(ind, ...)` when `ind.__index__` has side-effects (GH-132379)
(cherry picked from commit 5e1e21d)

Co-authored-by: Bast <52266665+bast0006@users.noreply.github.com>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Pranjal095 pushed a commit to Pranjal095/cpython that referenced this pull request Jul 12, 2025
@bast0006 @picnixz @Pranjal095
pythongh-91153: prevent a crash in bytearray.__setitem__(ind, ...)
fc46948 
…when `ind.__index__` has side-effects (python#132379)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picnixz picnixz picnixz approved these changes

@ZeroIntensity ZeroIntensity ZeroIntensity approved these changes

Assignees

@picnixz picnixz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bast0006 @picnixz @ZeroIntensity
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy