Skip to content

gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re-entrant sep.__len__ #143209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
picnixz merged 3 commits into from
Dec 27, 2025
Merged

gh-143195: fix UAF in {bytearray,memoryview}.hex(sep) via re-entrant sep.__len__ #143209

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0488d21
gh-143195: fix UAF in `{bytearray,memoryview}.hex(sep)` via re-entran…
picnixz Dec 27, 2025
0b1553f
explicitly fix `memoryview.hex`
picnixz Dec 27, 2025
f2d9558
add comment
picnixz Dec 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions Lib/test/test_bytes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2092,6 +2092,19 @@ def make_case():
with self.assertRaises(BufferError):
ba.rsplit(evil)

def test_hex_use_after_free(self):
# Prevent UAF in bytearray.hex(sep) with re-entrant sep.__len__.
# Regression test for https://github.com/python/cpython/issues/143195.
ba = bytearray(b'\xAA')

class S(bytes):
def __len__(self):
ba.clear()
return 1

self.assertRaises(BufferError, ba.hex, S(b':'))


class AssortedBytesTest(unittest.TestCase):
#
# Test various combinations of bytes and bytearray
Expand Down
17 changes: 17 additions & 0 deletions Lib/test/test_memoryview.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
are in test_buffer.
"""

import contextlib
import unittest
import test.support
import sys
Expand Down Expand Up @@ -442,6 +443,22 @@ def test_issue22668(self):
self.assertEqual(c.format, "H")
self.assertEqual(d.format, "H")

def test_hex_use_after_free(self):
# Prevent UAF in memoryview.hex(sep) with re-entrant sep.__len__.
# Regression test for https://github.com/python/cpython/issues/143195.
ba = bytearray(b'A' * 1024)
mv = memoryview(ba)

class S(bytes):
def __len__(self):
mv.release()
ba.clear()
return 1

# The following should not crash but it may not necessarily raise.
with contextlib.suppress(BufferError):
mv.hex(S(b':'))


# Variations on source objects for the buffer: bytes-like objects, then arrays
# with itemsize > 1.
Expand Down
3 changes: 3 additions & 0 deletions Misc/NEWS.d/next/Core_and_Builtins/2025-12-27-10-14-26.gh-issue-143195.MNldfr.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Fix use-after-free crashes in :meth:`bytearray.hex` and :meth:`memoryview.hex`
when the separator's :meth:`~object.__len__` mutates the original object.
Patch by Bénédikt Tran.
8 changes: 7 additions & 1 deletion Objects/bytearrayobject.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2664,7 +2664,13 @@ bytearray_hex_impl(PyByteArrayObject *self, PyObject *sep, int bytes_per_sep)
{
char* argbuf = PyByteArray_AS_STRING(self);
Py_ssize_t arglen = PyByteArray_GET_SIZE(self);
return _Py_strhex_with_sep(argbuf, arglen, sep, bytes_per_sep);
// Prevent 'self' from being freed if computing len(sep) mutates 'self'
// in _Py_strhex_with_sep().
// See: https://github.com/python/cpython/issues/143195.
self->ob_exports++;
PyObject *res = _Py_strhex_with_sep(argbuf, arglen, sep, bytes_per_sep);
self->ob_exports--;
return res;
}

static PyObject *
Expand Down
Loading