_sre.template crashes if template argument contains group index that is negative or not an int instance.
Examples:
>>> import _sre
>>> _sre.template("", ["", -1, ""])
Segmentation fault (core dumped)>>> _sre.template("", ["", (), ""])
Segmentation fault (core dumped)In _sre_template_impl part of self->items remains uninitialized if call to PyLong_AsSsize_t returns negative value or fails with exception. Then attempt to clear self->items[i].literal in template_clear leads to dereferencing of uninitialized pointer.
Not sure if this worth fixing, since _sre.template is an internal implementation detail that is used only in _compile_template function, where it accepts only (I guess) correct templates created in _parser.parse_template function, and additional checks/initialization can affect its performance. But I'll submit a PR anyway.
Linked PRs
_sre.templatecrashes iftemplateargument contains group index that is negative or not anintinstance.Examples:
In
_sre_template_implpart ofself->itemsremains uninitialized if call toPyLong_AsSsize_treturns negative value or fails with exception. Then attempt to clearself->items[i].literalintemplate_clearleads to dereferencing of uninitialized pointer.Not sure if this worth fixing, since
_sre.templateis an internal implementation detail that is used only in_compile_templatefunction, where it accepts only (I guess) correct templates created in_parser.parse_templatefunction, and additional checks/initialization can affect its performance. But I'll submit a PR anyway.Linked PRs
_sre.template#106525