chore: resolve comment review

fatelei · fatelei · commit 31f45131e8a8 · 2025-12-28T21:07:13.000+08:00
diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py
@@ -1368,6 +1368,8 @@ def test_frombytearray(self):
         self.assertEqual(a, b)
 
     def test_tofile_concurrent_mutation(self):
+        # Keep this test in sync with the implementation in
+        # Modules/arraymodule.c:array_array_tofile_impl()
         BLOCKSIZE = 64 * 1024
         victim = array.array('B', b'\0' * (BLOCKSIZE * 2))
 
diff --git a/Misc/NEWS.d/next/Library/2025-12-18-11-41-37.gh-issue-142884.kjgukd.rst b/Misc/NEWS.d/next/Library/2025-12-18-11-41-37.gh-issue-142884.kjgukd.rst
@@ -1 +1 @@
-Use-After-Free Vulnerability Fixed in CPython array.array.tofile().
+:mod:`array`: fix a crash in :mod:`array.array.tofile` when the array is concurrently modified by the writer.
diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c
@@ -1589,29 +1589,26 @@ array_array_tofile_impl(arrayobject *self, PyTypeObject *cls, PyObject *f)
 {
     /* Write 64K blocks at a time */
     /* XXX Make the block size settable */
-    const Py_ssize_t BLOCKSIZE = 64*1024;
-    const Py_ssize_t itemsize = self->ob_descr->itemsize;
-
-    Py_ssize_t nbytes = Py_SIZE(self) * itemsize;
-    Py_ssize_t nblocks = (nbytes + BLOCKSIZE - 1) / BLOCKSIZE;
+    Py_ssize_t BLOCKSIZE = 64*1024;
+    Py_ssize_t max_items = PY_SSIZE_T_MAX / self->ob_descr->itemsize;
 
     if (Py_SIZE(self) == 0)
         goto done;
 
     array_state *state = get_array_state_by_class(cls);
     assert(state != NULL);
 
-    for (Py_ssize_t i = 0; i < nblocks; i++) {
+    Py_ssize_t offset = 0;
+    while (1) {
         if (self->ob_item == NULL || Py_SIZE(self) == 0) {
             break;
         }
 
-        if (Py_SIZE(self) > PY_SSIZE_T_MAX / itemsize) {
+        if (Py_SIZE(self) > max_items) {
             return PyErr_NoMemory();
         }
 
-        Py_ssize_t current_nbytes = Py_SIZE(self) * itemsize;
-        const Py_ssize_t offset = i * BLOCKSIZE;
+        Py_ssize_t current_nbytes = Py_SIZE(self) * self->ob_descr->itemsize;
         if (offset >= current_nbytes) {
             break;
         }
@@ -1627,12 +1624,13 @@ array_array_tofile_impl(arrayobject *self, PyTypeObject *cls, PyObject *f)
         bytes = PyBytes_FromStringAndSize(ptr, size);
         if (bytes == NULL)
             return NULL;
-
         res = PyObject_CallMethodOneArg(f, state->str_write, bytes);
         Py_DECREF(bytes);
         if (res == NULL)
             return NULL;
-        Py_DECREF(res);
+        Py_DECREF(res); /* drop write result */
+
+        offset += size;
     }
 
   done:

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-Use-After-Free Vulnerability Fixed in CPython array.array.tofile().`
	`1`	+:mod:`array`: fix a crash in :mod:`array.array.tofile` when the array is concurrently modified by the writer.