gh-142884: Use-After-Free Vulnerability Fixed in CPython array.array.tofile()

Author: fatelei

Lib/test/test_array.py

@@ -1367,6 +1367,21 @@ def test_frombytearray(self):
         b = array.array(self.typecode, a)
         self.assertEqual(a, b)
 
+    def test_tofile_concurrent_mutation(self):
+        BLOCKSIZE = 64 * 1024
+        victim = array.array('B', b'\0' * (BLOCKSIZE * 2))
+
+        class Writer:
+            cleared = False
+            def write(self, data):
+                if not self.cleared:
+                    self.cleared = True
+                    victim.clear()
+                return 0
+
+        victim.tofile(Writer())
+
+
 class IntegerNumberTest(NumberTest):
     def test_type_error(self):
         a = array.array(self.typecode)

Misc/NEWS.d/next/Library/2025-12-18-11-41-37.gh-issue-142884.kjgukd.rst

@@ -0,0 +1 @@
+Use-After-Free Vulnerability Fixed in CPython array.array.tofile().

Modules/arraymodule.c

@@ -1587,35 +1587,52 @@ static PyObject *
 array_array_tofile_impl(arrayobject *self, PyTypeObject *cls, PyObject *f)
 /*[clinic end generated code: output=4560c628d9c18bc2 input=5a24da7a7b407b52]*/
 {
-    Py_ssize_t nbytes = Py_SIZE(self) * self->ob_descr->itemsize;
     /* Write 64K blocks at a time */
     /* XXX Make the block size settable */
-    int BLOCKSIZE = 64*1024;
+    const Py_ssize_t BLOCKSIZE = 64*1024;
+    const Py_ssize_t itemsize = self->ob_descr->itemsize;
+
+    Py_ssize_t nbytes = Py_SIZE(self) * itemsize;
     Py_ssize_t nblocks = (nbytes + BLOCKSIZE - 1) / BLOCKSIZE;
-    Py_ssize_t i;
 
     if (Py_SIZE(self) == 0)
         goto done;
 
-
     array_state *state = get_array_state_by_class(cls);
     assert(state != NULL);
 
-    for (i = 0; i < nblocks; i++) {
-        char* ptr = self->ob_item + i*BLOCKSIZE;
-        Py_ssize_t size = BLOCKSIZE;
+    for (Py_ssize_t i = 0; i < nblocks; i++) {
+        if (self->ob_item == NULL || Py_SIZE(self) == 0) {
+            break;
+        }
+
+        if (Py_SIZE(self) > PY_SSIZE_T_MAX / itemsize) {
+            return PyErr_NoMemory();
+        }
+
+        Py_ssize_t current_nbytes = Py_SIZE(self) * itemsize;
+        const Py_ssize_t offset = i * BLOCKSIZE;
+        if (offset >= current_nbytes) {
+            break;
+        }
+
+        Py_ssize_t size = current_nbytes - offset;
+        if (size > BLOCKSIZE) {
+            size = BLOCKSIZE;
+        }
+
+        char* ptr = self->ob_item + offset;
         PyObject *bytes, *res;
 
-        if (i*BLOCKSIZE + size > nbytes)
-            size = nbytes - i*BLOCKSIZE;
         bytes = PyBytes_FromStringAndSize(ptr, size);
         if (bytes == NULL)
             return NULL;
+
         res = PyObject_CallMethodOneArg(f, state->str_write, bytes);
         Py_DECREF(bytes);
         if (res == NULL)
             return NULL;
-        Py_DECREF(res); /* drop write result */
+        Py_DECREF(res);
     }
 
   done: