Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Assignees
Description
Bug report
Bug description:
If a custom iterator is passed intobytearray.join, and then it frees the bytearray inside of its__iter__, then memory can be read after it is freed:
# stringlib_join_ReadAfterFree.pydefReadAfterFree(size,do):b=bytearray(size)classT:def__iter__(self):b.clear()self.v=do()yieldb''yieldb''c=b.join(t:=T())returnmemoryview(c).cast('P'),t.vif__name__=='__main__':leak,obj=ReadAfterFree(bytearray.__basicsize__,lambda:bytearray(8))print('bytearray:',obj)print('leaked memory of buffer:',leak.tolist())
➜~/Desktop/Coding/cpython_source git:(main) ./python.exe ../python/stringlib_join_ReadAfterFree.pybytearray: bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00')leaked memory of buffer: [1, 4305259912, 8, 9, 4307812848, 4307812848, 0]
CPython versions tested on:
CPython main branch
Operating systems tested on:
macOS
Linked PRs
- gh-112625: Protect bytearray from being freed by misbehaving iterator inside bytearray.join #112626
- [3.12] gh-112625: Protect bytearray from being freed by misbehaving iterator inside bytearray.join (GH-112626) #112693
- [3.11] gh-112625: Protect bytearray from being freed by misbehaving iterator inside bytearray.join (GH-112626) #112694