Skip to content

Undefined behavior NULL + 0 in list_extend_{set,dict,dictitems} #133073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
picnixz opened this issue Apr 28, 2025 · 1 comment
Closed

Undefined behavior NULL + 0 in list_extend_{set,dict,dictitems} #133073

picnixz opened this issue Apr 28, 2025 · 1 comment
Assignees
@picnixz
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error

Comments

@picnixz
Copy link
Member

picnixz commented Apr 28, 2025
edited by bedevere-app bot
Loading

Bug report

Found by @emmatyping.

Bug description:

This affects list_extend_{set,dict,dictitems}, e.g.:

static int
list_extend_set(PyListObject *self, PySetObject *other)
{
    Py_ssize_t m = Py_SIZE(self);
    Py_ssize_t n = PySet_GET_SIZE(other);
    if (list_resize(self, m + n) < 0) {
        return -1;
    }
    /* populate the end of self with iterable's items */
    Py_ssize_t setpos = 0;
    Py_hash_t hash;
    PyObject *key;
    PyObject **dest = self->ob_item + m; // UB if 'self' is the empty list!
    while (_PySet_NextEntryRef((PyObject *)other, &setpos, &key, &hash)) {
        FT_ATOMIC_STORE_PTR_RELEASE(*dest, key);
        dest++;
    }
    Py_SET_SIZE(self, m + n);
    return 0;
}

If a list object is empty, ob->ob_items will be NULL. In particular, list_resize won't allocate and the size will be 0. However:

PyObject **dest = self->ob_item + m;

becomes equivalent to NULL + 0 which is UB. There is no runtime error for now because the loop that follows is not executed.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@picnixz picnixz added interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error labels Apr 28, 2025
@picnixz picnixz self-assigned this Apr 28, 2025
@bedevere-app bedevere-app bot mentioned this issue Apr 28, 2025
Merged
picnixz added a commit that referenced this issue Apr 28, 2025
@picnixz
gh-133073: avoid NULL + 0 arithmetic in list_extend_* functions (#…
a99bfaa 
…133074)
@picnixz picnixz closed this as completed Apr 28, 2025
@picnixz
Copy link
Member Author

picnixz commented Apr 28, 2025

I won't backport this because we did not backport previous UBs fixes, though it could be considered a micro-optimization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@picnixz picnixz

Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@picnixz