Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Segfault from template string iterator #134119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
devdanzin opened this issue May 17, 2025 · 1 comment
Closed

Segfault from template string iterator #134119

devdanzin opened this issue May 17, 2025 · 1 comment
Labels
3.14 bugs and security fixes 3.15 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@devdanzin
Copy link
Contributor

devdanzin commented May 17, 2025
edited by bedevere-app bot
Loading

Crash report

What happened?

It's possible to segfault the interpreter by repeatedly calling next() on an exhausted template string iterator:

template_iter = iter(t"{1}")
next(template_iter)
try:
    next(template_iter)
except StopIteration:
    pass
next(template_iter)

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000555555b5bf79 in _Py_TYPE (ob=0x0) at ./Include/object.h:270
270             return ob->ob_type;

#0  0x0000555555b5bf79 in _Py_TYPE (ob=0x0) at ./Include/object.h:270
#1  PyUnicode_GET_LENGTH (op=0x0) at ./Include/cpython/unicodeobject.h:299
#2  templateiter_next (op=<string.templatelib.TemplateIter at remote 0x7fffb5084ed0>) at Objects/templateobject.c:26
#3  0x0000555555d4a21d in builtin_next (self=<optimized out>, args=0x7fffffffafc8, nargs=1) at Python/bltinmodule.c:1644
#4  0x0000555555ad51e6 in cfunction_vectorcall_FASTCALL (func=<built-in method next of module object at remote 0x7fffb425c8e0>,
    args=0x7fffffffafc8, nargsf=<optimized out>, kwnames=<optimized out>) at Objects/methodobject.c:450
#5  0x00005555559956f0 in _PyObject_VectorcallTstate (tstate=0x555556755e40 <_PyRuntime+362048>,
    callable=<built-in method next of module object at remote 0x7fffb425c8e0>, args=0x7fffffffafc8, nargsf=9223372036854775809, kwnames=0x0)
    at ./Include/internal/pycore_call.h:169
#6  0x000055555599584b in PyObject_Vectorcall (callable=callable@entry=<built-in method next of module object at remote 0x7fffb425c8e0>,
    args=args@entry=0x7fffffffafc8, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#7  0x0000555555d870fb in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555556755e40 <_PyRuntime+362048>, frame=frame@entry=0x629000005840,
    throwflag=throwflag@entry=0) at Python/generated_cases.c.h:1619
#8  0x0000555555de915d in _PyEval_EvalFrame (throwflag=0, frame=0x629000005840, tstate=0x555556755e40 <_PyRuntime+362048>)
    at ./Include/internal/pycore_ceval.h:119

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.15.0a0 (heads/main-dirty:fe9f6e829a5, May 13 2025, 11:40:11) [GCC 11.4.0] on linux

Linked PRs
@devdanzin devdanzin added the type-crash A hard crash of the interpreter, possibly with a core dump label May 17, 2025
JelleZijlstra added a commit to JelleZijlstra/cpython that referenced this issue May 17, 2025
@JelleZijlstra
pythongh-134119: Fix crash from calling next() on exhausted template …
2c44d03 
…iterator
@bedevere-app bedevere-app bot mentioned this issue May 17, 2025
Merged
@picnixz picnixz added interpreter-core (Objects, Python, Grammar, and Parser dirs) 3.14 bugs and security fixes 3.15 new features, bugs and security fixes labels May 17, 2025
JelleZijlstra added a commit that referenced this issue May 17, 2025
@JelleZijlstra @picnixz
gh-134119: Fix crash from calling next() on exhausted template iterat…
fc7f4c3 
…or (#134120)

Co-authored-by: Bénédikt Tran <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 17, 2025
@JelleZijlstra @picnixz @miss-islington
pythongh-134119: Fix crash from calling next() on exhausted template …
519a795 
…iterator (pythonGH-134120)

(cherry picked from commit fc7f4c3)

Co-authored-by: Jelle Zijlstra <[email protected]>
Co-authored-by: Bénédikt Tran <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue May 17, 2025
Merged
JelleZijlstra added a commit that referenced this issue May 17, 2025
@miss-islington @JelleZijlstra @picnixz
[3.14] gh-134119: Fix crash from calling next() on exhausted template…
1ba5e65 
… iterator (GH-134120) (#134153)

gh-134119: Fix crash from calling next() on exhausted template iterator (GH-134120)
(cherry picked from commit fc7f4c3)

Co-authored-by: Jelle Zijlstra <[email protected]>
Co-authored-by: Bénédikt Tran <[email protected]>
@JelleZijlstra
Copy link
Member

Thanks for the report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.14 bugs and security fixes 3.15 new features, bugs and security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JelleZijlstra @picnixz @devdanzin