New submission from Pasha Stetsenko <stpa...@gmail.com>:
The documentation (https://docs.python.org/3/c-api/tuple.html) for `PyStructSequence_InitType` describes the function as follows: > void PyStructSequence_InitType(PyTypeObject *type, PyStructSequence_Desc > *desc) > Initializes a struct sequence type `type` from `desc` in place. And most of the time it does just that. However, when running under python compiled in debug mode, the body of the function will contain the following code at the very beginning: ``` if (type->ob_base.ob_base._ob_next) { _Py_ForgetReference((PyObject*)type); } ``` Since `type` here is a preallocated but an uninitialized piece of memory, it may contain garbage data that when interpreted as a "live" PyObject will result in memory corruption or process crash. Thus, either the description for the `PyStructSequence_InitType` method has to document that the `type` object must be zeroed-out before being passed to the method, or the call to `_Py_ForgetReference` be removed. ---------- messages: 318523 nosy: Pasha Stetsenko priority: normal severity: normal status: open title: Unsafe memory access in PyStructSequence_InitType type: crash versions: Python 3.5, Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue33742> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
