Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-144475: Fix a heap buffer overflow in partial_repr#145362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
encukou merged 5 commits intopython:mainfrombkap123:partial-repr
Mar 3, 2026
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletionsLib/test/test_functools.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -514,6 +514,58 @@ def test_partial_genericalias(self):
self.assertEqual(alias.__args__, (int,))
self.assertEqual(alias.__parameters__, ())

# GH-144475: Tests that the partial object does not change until repr finishes
def test_repr_safety_against_reentrant_mutation(self):
g_partial = None

class Function:
def __init__(self, name):
self.name = name

def __call__(self):
return None

def __repr__(self):
return f"Function({self.name})"

class EvilObject:
def __init__(self):
self.triggered = False

def __repr__(self):
if not self.triggered and g_partial is not None:
self.triggered = True
new_args_tuple = (None,)
new_keywords_dict = {"keyword": None}
new_tuple_state = (Function("new_function"), new_args_tuple, new_keywords_dict, None)
g_partial.__setstate__(new_tuple_state)
gc.collect()
return f"EvilObject"

trigger = EvilObject()
func = Function("old_function")

g_partial = functools.partial(func, None, trigger=trigger)
self.assertEqual(repr(g_partial),"functools.partial(Function(old_function), None, trigger=EvilObject)")

trigger.triggered = False
g_partial = functools.partial(func, trigger, arg=None)
self.assertEqual(repr(g_partial),"functools.partial(Function(old_function), EvilObject, arg=None)")


trigger.triggered = False
g_partial = functools.partial(func, trigger, None)
self.assertEqual(repr(g_partial),"functools.partial(Function(old_function), EvilObject, None)")

trigger.triggered = False
g_partial = functools.partial(func, trigger=trigger, arg=None)
self.assertEqual(repr(g_partial),"functools.partial(Function(old_function), trigger=EvilObject, arg=None)")

trigger.triggered = False
g_partial = functools.partial(func, trigger, None, None, None, None, arg=None)
self.assertEqual(repr(g_partial),"functools.partial(Function(old_function), EvilObject, None, None, None, None, arg=None)")



@unittest.skipUnless(c_functools, 'requires the C _functools module')
class TestPartialC(TestPartial, unittest.TestCase):
Expand Down
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
Calling :func:`repr` on :func:`functools.partial` is now safer
when the partial object's internal attributes are replaced while
the string representation is being generated.
55 changes: 31 additions & 24 deletionsModules/_functoolsmodule.c
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -688,65 +688,72 @@ partial_repr(PyObject *self)
{
partialobject *pto = partialobject_CAST(self);
PyObject *result = NULL;
PyObject *arglist;
PyObject *mod;
PyObject *name;
PyObject *arglist = NULL;
PyObject *mod = NULL;
PyObject *name = NULL;
Py_ssize_t i, n;
PyObject *key, *value;
int status;

status = Py_ReprEnter(self);
if (status != 0) {
if (status < 0)
if (status < 0) {
return NULL;
}
return PyUnicode_FromString("...");
}
/* Reference arguments in case they change */
PyObject *fn = Py_NewRef(pto->fn);
PyObject *args = Py_NewRef(pto->args);
PyObject *kw = Py_NewRef(pto->kw);
assert(PyTuple_Check(args));
assert(PyDict_Check(kw));

arglist = Py_GetConstant(Py_CONSTANT_EMPTY_STR);
if (arglist == NULL)
if (arglist == NULL) {
goto done;
}
/* Pack positional arguments */
assert(PyTuple_Check(pto->args));
n = PyTuple_GET_SIZE(pto->args);
n = PyTuple_GET_SIZE(args);
for (i = 0; i < n; i++) {
Py_SETREF(arglist, PyUnicode_FromFormat("%U, %R", arglist,
PyTuple_GET_ITEM(pto->args, i)));
if (arglist == NULL)
PyTuple_GET_ITEM(args, i)));
if (arglist == NULL) {
goto done;
}
}
/* Pack keyword arguments */
assert (PyDict_Check(pto->kw));
for (i = 0; PyDict_Next(pto->kw, &i, &key, &value);) {
for (i = 0; PyDict_Next(kw, &i, &key, &value);) {
/* Prevent key.__str__ from deleting the value. */
Py_INCREF(value);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

If we're covering all the bases:

Here,key can be an arbitrary object as well.

Also, the iteration should have a critical section around it -- seePyDict_Next docs.

But perhaps the best way to solve that would be switching to always usefrozendict with string keys, so let's leave this to a future PR?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Also, the iteration should have a critical section around it -- see PyDict_Next docs.

I think that adding a critical section here is best for a future PR. This PR is more about fixing a mutation duringrepr. In contrast, adding a critical section is intended for the free-threaded build. Additionally, I realized that there are quite a few other times in this file wherePyDict_Next is called without a critical section, so a new PR is needed anyway. I can create an issue for this change, although, should we wait on a PR until this one is merged to avoid any conflicts? I'm fine adding a critical section now, though, if you think that is better.

The one change we could make now is to replaceint i withPy_ssize_t pos as this would make this loop consistent with the docs and other calls toPyDict_Next.

But perhaps the best way to solve that would be switching to always use frozendict with string keys, so let's leave this to a future PR?

I agree, enforcing thatkw has only string keys seems like the best solution. Just to make sure I understand correctly, when you mean switch to using afrozendict, are you saying that thekw entry in thepartialobject struct should be afrozendict instead of adict, or are you referring to something only in this function (partial_repr)? If the former, I would like to work on making that change in a new PR. I’m fairly new to CPython, so I’d appreciate any suggestions you have for that change.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think that adding a critical section here is best for a future PR.

OK!

are you saying that the kw entry in the partialobject struct should be a frozendict instead of a dict, or are you referring to something only in this function (partial_repr)?

The former seems worth looking into. As you said, there's a lot ofPyDict_Next without critical sections (and other possibilities for possible mutation than threads);frozendict could solve these neatly.

I can create an issue for this change, although, should we wait on a PR until this one is merged to avoid any conflicts?

Yes.

bkap123 reacted with thumbs up emoji
Py_SETREF(arglist, PyUnicode_FromFormat("%U, %S=%R", arglist,
key, value));
Py_DECREF(value);
if (arglist == NULL)
if (arglist == NULL) {
goto done;
}
}

mod = PyType_GetModuleName(Py_TYPE(pto));
if (mod == NULL) {
gotoerror;
gotodone;
}

name = PyType_GetQualName(Py_TYPE(pto));
if (name == NULL) {
Py_DECREF(mod);
goto error;
goto done;
}
result = PyUnicode_FromFormat("%S.%S(%R%U)", mod, name, pto->fn, arglist);
Py_DECREF(mod);
Py_DECREF(name);
Py_DECREF(arglist);

done:
result = PyUnicode_FromFormat("%S.%S(%R%U)", mod, name, fn, arglist);
done:
Py_XDECREF(name);
Py_XDECREF(mod);
Py_XDECREF(arglist);
Py_DECREF(fn);
Py_DECREF(args);
Py_DECREF(kw);
Py_ReprLeave(self);
return result;
error:
Py_DECREF(arglist);
Py_ReprLeave(self);
return NULL;
}

/* Pickle strategy:
Expand Down
Loading
[8]ページ先頭
©2009-2026 Movatter.jp