mirror of
				https://github.com/python/cpython.git
				synced 2025-10-22 22:53:06 +00:00 
			
		
		
		
	When the Py_CompileStringExFlags fuzzer encounters a SystemError, abort (#115147)
This allows us to catch bugs beyond memory corruption and assertions.
This commit is contained in:
		
							parent
							
								
									8f0998e844
								
							
						
					
					
						commit
						38b970dfcc
					
				
					 1 changed files with 9 additions and 2 deletions
				
			
		|  | @ -502,7 +502,6 @@ static int fuzz_elementtree_parsewhole(const char* data, size_t size) { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| #define MAX_PYCOMPILE_TEST_SIZE 16384 | #define MAX_PYCOMPILE_TEST_SIZE 16384 | ||||||
| static char pycompile_scratch[MAX_PYCOMPILE_TEST_SIZE]; |  | ||||||
| 
 | 
 | ||||||
| static const int start_vals[] = {Py_eval_input, Py_single_input, Py_file_input}; | static const int start_vals[] = {Py_eval_input, Py_single_input, Py_file_input}; | ||||||
| const size_t NUM_START_VALS = sizeof(start_vals) / sizeof(start_vals[0]); | const size_t NUM_START_VALS = sizeof(start_vals) / sizeof(start_vals[0]); | ||||||
|  | @ -531,6 +530,8 @@ static int fuzz_pycompile(const char* data, size_t size) { | ||||||
|     unsigned char optimize_idx = (unsigned char) data[1]; |     unsigned char optimize_idx = (unsigned char) data[1]; | ||||||
|     int optimize = optimize_vals[optimize_idx % NUM_OPTIMIZE_VALS]; |     int optimize = optimize_vals[optimize_idx % NUM_OPTIMIZE_VALS]; | ||||||
| 
 | 
 | ||||||
|  |     char pycompile_scratch[MAX_PYCOMPILE_TEST_SIZE]; | ||||||
|  | 
 | ||||||
|     // Create a NUL-terminated C string from the remaining input
 |     // Create a NUL-terminated C string from the remaining input
 | ||||||
|     memcpy(pycompile_scratch, data + 2, size - 2); |     memcpy(pycompile_scratch, data + 2, size - 2); | ||||||
|     // Put a NUL terminator just after the copied data. (Space was reserved already.)
 |     // Put a NUL terminator just after the copied data. (Space was reserved already.)
 | ||||||
|  | @ -549,7 +550,13 @@ static int fuzz_pycompile(const char* data, size_t size) { | ||||||
| 
 | 
 | ||||||
|     PyObject *result = Py_CompileStringExFlags(pycompile_scratch, "<fuzz input>", start, flags, optimize); |     PyObject *result = Py_CompileStringExFlags(pycompile_scratch, "<fuzz input>", start, flags, optimize); | ||||||
|     if (result == NULL) { |     if (result == NULL) { | ||||||
|         /* compilation failed, most likely from a syntax error */ |         /* Compilation failed, most likely from a syntax error. If it was a
 | ||||||
|  |            SystemError we abort. There's no non-bug reason to raise a | ||||||
|  |            SystemError. */ | ||||||
|  |         if (PyErr_Occurred() && PyErr_ExceptionMatches(PyExc_SystemError)) { | ||||||
|  |             PyErr_Print(); | ||||||
|  |             abort(); | ||||||
|  |         } | ||||||
|         PyErr_Clear(); |         PyErr_Clear(); | ||||||
|     } else { |     } else { | ||||||
|         Py_DECREF(result); |         Py_DECREF(result); | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Alex Gaynor
						Alex Gaynor