Return value of <ExceptionGroup class>.split has insufficient checks leading to a type confusion bug #128049
Description
Crash report
What happened?
The following code has checks to make sure the return value is a tuple and of size 2, but only in asserts which means that these checks wont happen on a non-debug build.
Lines 2093 to 2101 in b92f101
So you can create an ExceptionGroup subclass with a custom split function that doesnt return a tuple, and it will try to interpret that object as a tuple.
PoC
class Evil(BaseExceptionGroup):
def split(self, *args):
return "NOT A TUPLE!"
print("Running...")
try:
raise Evil("wow!", [Exception()])
except* Exception:
pass
print("program should crash before reaching this")Output
Running...
Segmentation fault (core dumped)
CPython versions tested on:
3.11, 3.12, 3.13
Operating systems tested on:
Linux, Windows
Output from running 'python -VV' on the command line:
No response
Linked PRs
- gh-128049: Fix type confusion bug with the return value of a custom ExceptionGroup split function #128079
- [3.13] gh-128049: Fix type confusion bug with the return value of a custom ExceptionGroup split function (GH-128079) #128139
- [3.12] gh-128049: Fix type confusion bug with the return value of a custom ExceptionGroup split function (GH-128079) #128140