[3.13] gh-143003: Fix possible shared buffer overflow in bytearray.extend() (GH-143086) (GH-143448)

StanFromIreland · serhiy-storchaka · web-flow · commit e0e255e244dd · 2026-01-06T13:49:31.000+02:00
When __length_hint__() returns 0 for non-empty iterator, the data can be written past the shared 0-terminated buffer, corrupting it. (cherry picked from commit 5225635) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py
@@ -1941,6 +1941,23 @@ def make_case():
         with self.assertRaises(BufferError):
             ba.rsplit(evil)
 
+    def test_extend_empty_buffer_overflow(self):
+        # gh-143003
+        class EvilIter:
+            def __iter__(self):
+                return self
+            def __next__(self):
+                return next(source)
+            def __length_hint__(self):
+                return 0
+
+        # Use ASCII digits so float() takes the fast path that expects a NUL terminator.
+        source = iter(b'42')
+        ba = bytearray()
+        ba.extend(EvilIter())
+
+        self.assertRaises(ValueError, float, bytearray())
+
     def test_hex_use_after_free(self):
         # Prevent UAF in bytearray.hex(sep) with re-entrant sep.__len__.
         # Regression test for https://github.com/python/cpython/issues/143195.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2025-12-23-00-13-02.gh-issue-143003.92g5qW.rst b/Misc/NEWS.d/next/Core and Builtins/2025-12-23-00-13-02.gh-issue-143003.92g5qW.rst
@@ -0,0 +1,2 @@
+Fix an overflow of the shared empty buffer in :meth:`bytearray.extend` when
+``__length_hint__()`` returns 0 for non-empty iterator.
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
@@ -1871,7 +1871,6 @@ bytearray_extend(PyByteArrayObject *self, PyObject *iterable_of_ints)
             Py_DECREF(bytearray_obj);
             return NULL;
         }
-        buf[len++] = value;
         Py_DECREF(item);
 
         if (len >= buf_size) {
@@ -1881,7 +1880,7 @@ bytearray_extend(PyByteArrayObject *self, PyObject *iterable_of_ints)
                 Py_DECREF(bytearray_obj);
                 return PyErr_NoMemory();
             }
-            addition = len >> 1;
+            addition = len ? len >> 1 : 1;
             if (addition > PY_SSIZE_T_MAX - len - 1)
                 buf_size = PY_SSIZE_T_MAX;
             else
@@ -1895,6 +1894,7 @@ bytearray_extend(PyByteArrayObject *self, PyObject *iterable_of_ints)
                have invalidated it. */
             buf = PyByteArray_AS_STRING(bytearray_obj);
         }
+        buf[len++] = value;
     }
     Py_DECREF(it);
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix an overflow of the shared empty buffer in :meth:`bytearray.extend` when
	`2`	+``__length_hint__()`` returns 0 for non-empty iterator.
Original file line number	Diff line number	Diff line change
`@@ -1871,7 +1871,6 @@ bytearray_extend(PyByteArrayObject self, PyObject iterable_of_ints)`
`1871`	`1871`	`Py_DECREF(bytearray_obj);`
`1872`	`1872`	`return NULL;`
`1873`	`1873`	`}`
`1874`		`- buf[len++] = value;`
`1875`	`1874`	`Py_DECREF(item);`
`1876`	`1875`
`1877`	`1876`	`if (len >= buf_size) {`
`@@ -1881,7 +1880,7 @@ bytearray_extend(PyByteArrayObject self, PyObject iterable_of_ints)`
`1881`	`1880`	`Py_DECREF(bytearray_obj);`
`1882`	`1881`	`return PyErr_NoMemory();`
`1883`	`1882`	`}`
`1884`		`- addition = len >> 1;`
	`1883`	`+ addition = len ? len >> 1 : 1;`
`1885`	`1884`	`if (addition > PY_SSIZE_T_MAX - len - 1)`
`1886`	`1885`	`buf_size = PY_SSIZE_T_MAX;`
`1887`	`1886`	`else`
`@@ -1895,6 +1894,7 @@ bytearray_extend(PyByteArrayObject self, PyObject iterable_of_ints)`
`1895`	`1894`	`have invalidated it. */`
`1896`	`1895`	`buf = PyByteArray_AS_STRING(bytearray_obj);`
`1897`	`1896`	`}`
	`1897`	`+ buf[len++] = value;`
`1898`	`1898`	`}`
`1899`	`1899`	`Py_DECREF(it);`
`1900`	`1900`