Bug report
Bug description:
In test_pre_initialization_sys_options() (Programs/_testembed.c),
the pointers dynamic_once_warnoption and dynamic_xoption allocated via
calloc() are passed to wcsncpy() without NULL checks.
On allocation failure (OOM), this can lead to a NULL dereference.
/* bpo-33042: Ensure embedding apps can predefine sys module options */
static int test_pre_initialization_sys_options(void)
{
/* We allocate a couple of the options dynamically, and then delete
* them before calling Py_Initialize. This ensures the interpreter isn't
* relying on the caller to keep the passed in strings alive.
*/
const wchar_t *static_warnoption = L"once";
const wchar_t *static_xoption = L"also_not_an_option=2";
size_t warnoption_len = wcslen(static_warnoption);
size_t xoption_len = wcslen(static_xoption);
wchar_t *dynamic_once_warnoption = \
(wchar_t *) calloc(warnoption_len+1, sizeof(wchar_t));
wchar_t *dynamic_xoption = \
(wchar_t *) calloc(xoption_len+1, sizeof(wchar_t));
wcsncpy(dynamic_once_warnoption, static_warnoption, warnoption_len+1);
wcsncpy(dynamic_xoption, static_xoption, xoption_len+1);Found by Linux Verification Center (linuxtesting.org) with SVACE.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
Bug report
Bug description:
In
test_pre_initialization_sys_options()(Programs/_testembed.c),the pointers
dynamic_once_warnoptionanddynamic_xoptionallocated viacalloc()are passed towcsncpy()without NULL checks.On allocation failure (OOM), this can lead to a NULL dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
calloc()results in_testembed.c::test_pre_initialization_sys_options(GH-139147) #139413calloc()results in_testembed.c::test_pre_initialization_sys_options(GH-139147) #139414