From ff785cef1b6ee2d9e53f3095ae2a312ae16d22c7 Mon Sep 17 00:00:00 2001 From: stratakis Date: Wed, 8 Jul 2020 22:39:41 +0200 Subject: [PATCH] bpo-41175: Guard against a NULL pointer dereference within bytearrayobject (GH-21240) The issue is triggered by the bytearray() + bytearray() operation. Detected by GCC 10 static analysis tool. (cherry picked from commit 61fc23ca106bc82955b0e59d1ab42285b94899e2) Co-authored-by: stratakis --- .../2020-06-30-20-17-31.bpo-41175.acJoXB.rst | 2 ++ Objects/bytearrayobject.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst b/Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst new file mode 100644 index 00000000000000..844fb804c0c8d4 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst @@ -0,0 +1,2 @@ +Guard against a NULL pointer dereference within bytearrayobject triggered by +the ``bytearray() + bytearray()`` operation. diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c index 590b8060561868..d4d02336b6cf03 100644 --- a/Objects/bytearrayobject.c +++ b/Objects/bytearrayobject.c @@ -276,7 +276,9 @@ PyByteArray_Concat(PyObject *a, PyObject *b) result = (PyByteArrayObject *) \ PyByteArray_FromStringAndSize(NULL, va.len + vb.len); - if (result != NULL) { + // result->ob_bytes is NULL if result is an empty string: + // if va.len + vb.len equals zero. + if (result != NULL && result->ob_bytes != NULL) { memcpy(result->ob_bytes, va.buf, va.len); memcpy(result->ob_bytes + va.len, vb.buf, vb.len); }