BUG: in-place string multiply leads to heap buffer overflow.

[BergLucas]

Describe the issue:

Hi,

For a research paper, we carried out a large-scale benchmark of Pynguin, an Automatic Unit Test Generation Tool for Python, to test its new feature that can find Python interpreter crashes. In this benchmark, we found a potential bug in numpy, and we are reporting this issue.

The example was run with the command python -X faulthandler <test> to dump the traceback.

Reproduce the code example:

import numpy.polynomial.legendre as legendre

legendre.legder(("0", "0"), scl=20)

Error message:

Fatal Python error: Segmentation fault

Current thread 0x00007f3e28300bc0 [python] (most recent call first):
  Garbage-collecting
  <no Python frame>

Current thread's C stack trace (most recent call first):
  Binary file "/lib64/libpython3.14.so.1.0", at _Py_DumpStack+0x4c [0x7f3e27d213fa]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x121e7e [0x7f3e27d21e7e]
  Binary file "/lib64/libc.so.6", at +0x1a2c0 [0x7f3e27a262c0]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x1facd8 [0x7f3e27dfacd8]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x183bf9 [0x7f3e27d83bf9]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x1fab68 [0x7f3e27dfab68]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x1fa12a [0x7f3e27dfa12a]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x25ed69 [0x7f3e27e5ed69]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x27fcd1 [0x7f3e27e7fcd1]
  Binary file "/lib64/libpython3.14.so.1.0", at Py_RunMain+0x231 [0x7f3e27e52401]
  Binary file "/lib64/libpython3.14.so.1.0", at Py_BytesMain+0x3b [0x7f3e27e4c75b]
  Binary file "/lib64/libc.so.6", at +0x35b5 [0x7f3e27a0f5b5]
  Binary file "/lib64/libc.so.6", at __libc_start_main+0x88 [0x7f3e27a0f668]
  Binary file "python", at _start+0x25 [0x55c7863453d5]

Extension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg (total: 2)
Segmentation fault         (core dumped)

Python and NumPy Versions:

2.4.0
3.14.0 (main, Oct 17 2025, 00:00:00) [GCC 15.2.1 20251022 (Red Hat 15.2.1-3)]

Runtime Environment:

[{'numpy_version': '2.4.0',
'python': '3.14.0 (main, Oct 17 2025, 00:00:00) [GCC 15.2.1 20251022 (Red '
'Hat 15.2.1-3)]',
'uname': uname_result(system='Linux', node='lucas-hp', release='6.17.10-300.fc43.x86_64', version='#1 SMP PREEMPT_DYNAMIC Mon Dec 1 14:59:36 UTC 2025', machine='x86_64')},
{'simd_extensions': {'baseline': ['X86_V2'],
'found': ['X86_V3'],
'not_found': ['X86_V4', 'AVX512_ICL', 'AVX512_SPR']}},
{'ignore_floating_point_errors_in_matmul': False},
{'architecture': 'Haswell',
'filepath': '/home/lucas/Documents/crashes/.venv/lib/python3.14/site-packages/numpy.libs/libscipy_openblas64_-fdde5778.so',
'internal_api': 'openblas',
'num_threads': 12,
'prefix': 'libscipy_openblas',
'threading_layer': 'pthreads',
'user_api': 'blas',
'version': '0.3.30'}]

How does this issue affect you or how did you find it:

It's not a serious problem, but we thought it was important to at least warn you that this behaviour exists, so that you can take the action that suits you best.

[jorenham]

I'm not able to reproduce this, and get array(['0'], dtype='<U1') 🤔

[BergLucas]

It's really strange, I can't reproduce it in Docker either, even though I'm using the same versions and the same machine.
However, I tested the code on another machine running the same OS and encountered the same problem.

When I run it without a virtual environment and with numpy 2.3.5, I get this too:

Fatal Python error: Segmentation fault

Current thread 0x00007fb6ab25abc0 [python] (most recent call first):
  File "/usr/lib64/python3.14/site-packages/numpy/polynomial/legendre.py", line 698 in legder
  File "/home/lucas/Documents/crashes/./legder_crash.py", line 3 in <module>

Current thread's C stack trace (most recent call first):
  Binary file "/lib64/libpython3.14.so.1.0", at _Py_DumpStack+0x4c [0x7fb6aad213fa]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x121e7e [0x7fb6aad21e7e]
  Binary file "/lib64/libc.so.6", at +0x1a2c0 [0x7fb6aaa262c0]
  Binary file "/usr/lib64/python3.14/site-packages/numpy/_core/_multiarray_umath.cpython-314-x86_64-linux-gnu.so", at +0x18ffed [0x7fb69bf8ffed]
  Binary file "/usr/lib64/python3.14/site-packages/numpy/_core/_multiarray_umath.cpython-314-x86_64-linux-gnu.so", at +0x155231 [0x7fb69bf55231]
  Binary file "/lib64/libpython3.14.so.1.0", at _PyEval_EvalFrameDefault+0xd39 [0x7fb6aad715d9]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x16d245 [0x7fb6aad6d245]
  Binary file "/lib64/libpython3.14.so.1.0", at PyEval_EvalCode+0xb7 [0x7fb6aae5e187]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x29cf33 [0x7fb6aae9cf33]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x29e22a [0x7fb6aae9e22a]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x29d654 [0x7fb6aae9d654]
  Binary file "/lib64/libpython3.14.so.1.0", at +0x29ce65 [0x7fb6aae9ce65]
  Binary file "/lib64/libpython3.14.so.1.0", at Py_RunMain+0x499 [0x7fb6aae52669]
  Binary file "/lib64/libpython3.14.so.1.0", at Py_BytesMain+0x3b [0x7fb6aae4c75b]
  Binary file "/lib64/libc.so.6", at +0x35b5 [0x7fb6aaa0f5b5]
  Binary file "/lib64/libc.so.6", at __libc_start_main+0x88 [0x7fb6aaa0f668]
  Binary file "python", at _start+0x25 [0x55854bd923d5]

Extension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg (total: 2)
Segmentation fault         (core dumped)

[BergLucas]

Okay, I found the issue. The test above is too short, so depending on the machine, the problem may not occur. I managed to reproduce the issue on Docker by calling the function several times:

import numpy.polynomial.legendre as legendre

for i in range(10):
    print(repr(legendre.legder(("0", "0"), scl=20)))

docker run -it python:3.14.0-slim-trixie bash
pip install numpy==2.4.0
python -X faulthandler -c 'import numpy.polynomial.legendre as legendre

for i in range(10):
    print(repr(legendre.legder(("0", "0"), scl=20)))'

Sometimes it doesn't work the first time the command is executed, so you may need to try several times.

[ngoldbaum]

If I run the script with an ASan build of CPython and NumPy (see https://numpy.org/doc/stable/dev/development_advanced_debugging.html#compiler-sanitizers for more about running NumPy under ASan), I get a report about a heap buffer overflow:

python(5507,0x20a4860c0) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==5507==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000029b9f at pc 0x00010592dfe0 bp 0x00016ee97f30 sp 0x00016ee97f28
WRITE of size 16 at 0x602000029b9f thread T0
    #0 0x00010592dfdc in int string_multiply_strint_loop<(ENCODING)1>(PyArrayMethod_Context_tag*, char* const*, long const*, long const*, NpyAuxData_tag*) string_ufuncs.cpp:260
    #1 0x0001058f6198 in PyUFunc_GenericFunctionInternal ufunc_object.c:2242
    #2 0x0001058effc4 in ufunc_generic_fastcall ufunc_object.c:4715
    #3 0x0001022adeb0 in object_vacall call.c:820
    #4 0x0001022ae530 in PyObject_CallFunctionObjArgs call.c:927
    #5 0x0001057be00c in array_inplace_multiply number.c:521
    #6 0x00010226aa28 in PyNumber_InPlaceMultiply abstract.c:1322
    #7 0x0001025e91bc in _PyEval_EvalFrameDefault generated_cases.c.h:62
    #8 0x0001025d313c in PyEval_EvalCode ceval.c:975
    #9 0x000102718f9c in run_mod pythonrun.c:1459
    #10 0x000102713108 in _PyRun_SimpleFileObject pythonrun.c:521
    #11 0x000102712654 in _PyRun_AnyFileObject pythonrun.c:81
    #12 0x0001027791e8 in pymain_run_file main.c:429
    #13 0x000102777c00 in Py_RunMain main.c:775
    #14 0x0001027784ec in pymain_main main.c:805
    #15 0x0001027787f8 in Py_BytesMain main.c:829
    #16 0x00019c152b94 in start+0x17b8 (dyld:arm64e+0xfffffffffff3ab94)

0x602000029b9f is located 7 bytes after 8-byte region [0x602000029b90,0x602000029b98)
allocated by thread T0 here:
    #0 0x0001030cd330 in malloc+0x78 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3d330)
    #1 0x000105669bd0 in default_calloc alloc.c:338
    #2 0x000105669e44 in PyDataMem_UserNEW_ZEROED alloc.c:419
    #3 0x0001056b82e8 in PyArray_NewFromDescr_int ctors.c:876
    #4 0x0001056b92b0 in PyArray_NewFromDescr ctors.c:1008
    #5 0x0001056bea50 in PyArray_FromAny_int ctors.c:1695
    #6 0x0001056c0274 in PyArray_CheckFromAny_int ctors.c:1851
    #7 0x00010578b750 in _array_fromobject_generic multiarraymodule.c:1683
    #8 0x00010577d62c in array_array multiarraymodule.c:1758
    #9 0x0001022aa698 in PyObject_Vectorcall call.c:327
    #10 0x0001025e8d80 in _PyEval_EvalFrameDefault generated_cases.c.h:2959
    #11 0x0001025d313c in PyEval_EvalCode ceval.c:975
    #12 0x000102718f9c in run_mod pythonrun.c:1459
    #13 0x000102713108 in _PyRun_SimpleFileObject pythonrun.c:521
    #14 0x000102712654 in _PyRun_AnyFileObject pythonrun.c:81
    #15 0x0001027791e8 in pymain_run_file main.c:429
    #16 0x000102777c00 in Py_RunMain main.c:775
    #17 0x0001027784ec in pymain_main main.c:805
    #18 0x0001027787f8 in Py_BytesMain main.c:829
    #19 0x00019c152b94 in start+0x17b8 (dyld:arm64e+0xfffffffffff3ab94)

SUMMARY: AddressSanitizer: heap-buffer-overflow string_ufuncs.cpp:260 in int string_multiply_strint_loop<(ENCODING)1>(PyArrayMethod_Context_tag*, char* const*, long const*, long const*, NpyAuxData_tag*)
Shadow bytes around the buggy address:
  0x602000029900: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x602000029980: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa 00 00
  0x602000029a00: fa fa 00 fa fa fa fd fa fa fa 00 00 fa fa 00 fa
  0x602000029a80: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x602000029b00: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x602000029b80: fa fa 00[fa]fa fa fd fa fa fa fd fa fa fa fd fd
  0x602000029c00: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa fa fa
  0x602000029c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000029d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000029d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000029e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5507==ABORTING
[1]    5507 abort      python test.py

I also get the following Python stack trace from faulthandler:

Current thread 0x000000020a4860c0 (most recent call first):
  File "/Users/goldbaum/.pyenv/versions/3.14-dev-asan/lib/python3.14/site-packages/numpy/polynomial/legendre.py", line 689 in legder
  File "/Users/goldbaum/Documents/test/test-leg/test.py", line 4 in <module>

This line in the legendre implementation is triggering the crash:

numpy/numpy/polynomial/legendre.py

Line 689 in f6440be

c *= scl

First, we should fix the string multiply ufunc so it's not possible for python code to trigger a heap buffer overflow.

Second, we should probably update the legendre code to reject string dtypes or try to convert to float64 or something sensible.

[BergLucas]

If it can help you, here is a minimal reproducible example for the heap buffer overflow:

import numpy as np

c = np.array("0")
c *= 20

[ngoldbaum]

@BergLucas if you find any more ASan reports running your tests under an ASan build, please report those too. Also maybe you'd be interested in @devdanzin's work on fuzzing. Seems similar!

[BergLucas]

I found a few other segmentation faults, but they were in internal code, so I didn't report them. Would you be interested in crashes like these?

I am already familiar with the work of @devdanzin on fuzzing, and he is indeed doing something similar using different tools. His report on the results of his large-scale fuzzing campaign a few months ago was particularly interesting!

[ngoldbaum]

Crashes in internal code are less exciting but we should probably fix them. Maybe all in one bulk issue?

[ngoldbaum]

ping @lysnikolaou - we talked a little about this issue today.