gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re-entrant sep.__len__

picnixz · picnixz · commit 0488d2199f90 · 2025-12-27T10:25:32.000+01:00
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
@@ -2092,6 +2092,19 @@ def make_case():
         with self.assertRaises(BufferError):
             ba.rsplit(evil)
 
+    def test_hex_use_after_free(self):
+        # Prevent UAF in bytearray.hex(sep) with re-entrant sep.__len__.
+        # Regression test for https://github.com/python/cpython/issues/143195.
+        ba = bytearray(b'\xAA')
+
+        class S(bytes):
+            def __len__(self):
+                ba.clear()
+                return 1
+
+        self.assertRaises(BufferError, ba.hex, S(b':'))
+
+
 class AssortedBytesTest(unittest.TestCase):
     #
     # Test various combinations of bytes and bytearray
diff --git a/Lib/test/test_memoryview.py b/Lib/test/test_memoryview.py
@@ -4,6 +4,7 @@
    are in test_buffer.
 """
 
+import contextlib
 import unittest
 import test.support
 import sys
@@ -442,6 +443,22 @@ def test_issue22668(self):
         self.assertEqual(c.format, "H")
         self.assertEqual(d.format, "H")
 
+    def test_hex_use_after_free(self):
+        # Prevent UAF in memoryview.hex(sep) with re-entrant sep.__len__.
+        # Regression test for https://github.com/python/cpython/issues/143195.
+        ba = bytearray(b'A' * 1024)
+        mv = memoryview(ba)
+
+        class S(bytes):
+            def __len__(self):
+                mv.release()
+                ba.clear()
+                return 1
+
+        # The following should not crash but it may not necessarily raise.
+        with contextlib.suppress(BufferError):
+            mv.hex(S(b':'))
+
 
 # Variations on source objects for the buffer: bytes-like objects, then arrays
 # with itemsize > 1.
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-10-14-26.gh-issue-143195.MNldfr.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-10-14-26.gh-issue-143195.MNldfr.rst
@@ -0,0 +1,3 @@
+Fix use-after-free crashes in :meth:`bytearray.hex` and :meth:`memoryview.hex`
+when the separator's :meth:`~object.__len__` mutates the original object.
+Patch by Bénédikt Tran.
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
@@ -2664,7 +2664,13 @@ bytearray_hex_impl(PyByteArrayObject *self, PyObject *sep, int bytes_per_sep)
 {
     char* argbuf = PyByteArray_AS_STRING(self);
     Py_ssize_t arglen = PyByteArray_GET_SIZE(self);
-    return _Py_strhex_with_sep(argbuf, arglen, sep, bytes_per_sep);
+    // Prevent 'self' from being freed if computing len(sep) mutates 'self'
+    // in _Py_strhex_with_sep().
+    // See: https://github.com/python/cpython/issues/143195.
+    self->ob_exports++;
+    PyObject *res = _Py_strhex_with_sep(argbuf, arglen, sep, bytes_per_sep);
+    self->ob_exports--;
+    return res;
 }
 
 static PyObject *

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Fix use-after-free crashes in :meth:`bytearray.hex` and :meth:`memoryview.hex`
	`2`	+when the separator's :meth:`~object.__len__` mutates the original object.
	`3`	`+Patch by Bénédikt Tran.`
Original file line number	Diff line number	Diff line change
`@@ -2664,7 +2664,13 @@ bytearray_hex_impl(PyByteArrayObject self, PyObject sep, int bytes_per_sep)`
`2664`	`2664`	`{`
`2665`	`2665`	`char* argbuf = PyByteArray_AS_STRING(self);`
`2666`	`2666`	`Py_ssize_t arglen = PyByteArray_GET_SIZE(self);`
`2667`		`- return _Py_strhex_with_sep(argbuf, arglen, sep, bytes_per_sep);`
	`2667`	`+ // Prevent 'self' from being freed if computing len(sep) mutates 'self'`
	`2668`	`+ // in _Py_strhex_with_sep().`
	`2669`	`+ // See: https://github.com/python/cpython/issues/143195.`
	`2670`	`+ self->ob_exports++;`
	`2671`	`+ PyObject *res = _Py_strhex_with_sep(argbuf, arglen, sep, bytes_per_sep);`
	`2672`	`+ self->ob_exports--;`
	`2673`	`+ return res;`
`2668`	`2674`	`}`
`2669`	`2675`
`2670`	`2676`	`static PyObject *`