gh-143546: Fix heap buffer overflow in set_clear_internal#143628
Closed
aviralgarg05 wants to merge 5 commits intopython:mainfrom
Closed
gh-143546: Fix heap buffer overflow in set_clear_internal#143628aviralgarg05 wants to merge 5 commits intopython:mainfrom
aviralgarg05 wants to merge 5 commits intopython:mainfrom
Conversation
Added a bounds check in set_clear_internal to prevent heap buffer overflow when the set is mutated re-entrantly during iteration (e.g. via __eq__). Added regression test in Lib/test/test_set.py.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
skirpichev
reviewed
Jan 10, 2026
Misc/NEWS.d/next/Core_and_Builtins/2026-01-10-01-46-00.gh-issue-143546.fixed.rst
Outdated
Show resolved
Hide resolved
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Member
|
This issue can no longer be reproduced. I afraid this PR just hid the problem and could lead to memory leaks. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes a heap buffer overflow vulnerability in set_clear_internal (Issue gh-143546).
The Issue
The function set_clear_internal could read past the end of the allocated table buffer if the set's
usedcount became inconsistent with the actual table state. This inconsistency occurs due to re-entrancy: if eq is invoked on a set element during an intersection operation (e.g., set_iand), user code can mutate the set (clearing or resizing it) while the interpreter is still holding pointers to the old table.The Fix
I added a bounds check to the clearing loop in set_clear_internal. The loop condition now strictly enforces
entry < table + oldsizein addition to checkingused > 0. This guarantees that the loop terminates safely before accessing invalid memory, even ifso->usedis corrupted or inconsistent with the current table size.Testing
Added a new regression test test_reentrant_clear_in_iand in Lib/test/test_set.py. This test reproduces the crash scenario by defining a custom object with a re-entrant eq method that clears the set during a
set_iand(&=) operation.