Skip to content

gh-140594: Fix buffer overflow when feeding NULL bytes to PyOS_StdioReadline #140910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ashm-dev wants to merge 16 commits into
base: main
Choose a base branch
from
Open

gh-140594: Fix buffer overflow when feeding NULL bytes to PyOS_StdioReadline #140910

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
0463fb7
Fix heap-buffer-overflow when reading null bytes
ashm-dev Nov 2, 2025
71d79ca
Add test for NUL byte in interactive mode
ashm-dev Nov 2, 2025
42fdcfb
test: refactor null byte interactive mode test to use EnvironmentVarG…
ashm-dev Nov 2, 2025
b09a4c8
docs: improve security advisory for PyOS_StdioReadline fix
ashm-dev Nov 2, 2025
976dedb
test: remove unnecessary -S and -q flags from null byte test
ashm-dev Nov 2, 2025
3f4a6be
Update Misc/NEWS.d/next/Security/2025-11-02-16-23-17.gh-issue-140594.…
ashm-dev Nov 2, 2025
2392f76
test: simplify null byte interactive mode test to use spawn_python
ashm-dev Nov 2, 2025
cfd56e6
Update Lib/test/test_cmd_line.py
ashm-dev Nov 2, 2025
2647f02
test: simplify null byte interactive mode test by removing unnecessar…
ashm-dev Nov 2, 2025
11912ec
Merge branch 'main' into asan
ashm-dev Nov 18, 2025
010a482
Merge remote-tracking branch 'upstream/main' into asan
ashm-dev Nov 20, 2025
9dbeba9
fix
ashm-dev Nov 20, 2025
a982737
fix comment
ashm-dev Nov 20, 2025
6f83dc8
fix test docstring
ashm-dev Nov 21, 2025
6ffaace
fix news
ashm-dev Nov 21, 2025
43025bd
Merge branch 'main' into asan
ashm-dev Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions Lib/test/test_cmd_line.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,16 @@ def test_run_module_bug1764407(self):
self.assertTrue(data.find(b'1 loop') != -1)
self.assertTrue(data.find(b'__main__.Timer') != -1)

@support.cpython_only
def test_null_byte_in_interactive_mode(self):
# gh-140594: Fix a buffer overflow when a single NULL character is read
# from standard input in interactive mode. The test ensures that
# feeding a null byte to the interactive prompt does not crash
# the interpreter.
proc = spawn_python('-i')
proc.communicate(b'\x00', timeout=10)
self.assertEqual(proc.returncode, 0)

def test_relativedir_bug46421(self):
# Test `python -m unittest` with a relative directory beginning with ./
# Note: We have to switch to the project's top module's directory, as per
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Core_and_Builtins/2025-11-02-16-23-17.gh-issue-140594.YIWUpl.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix a buffer overflow when a single NULL character is read from the standard input.
Copy link
Member

@vstinner vstinner Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not a buffer overflow, "just" a read out of bounds.

Suggested change
Fix a buffer overflow when a single NULL character is read from the standard input.
Fix an out of bounds read when a single NUL character is read from the standard input.

Patch by Shamil Abdulaev.
2 changes: 1 addition & 1 deletion Parser/myreadline.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ PyOS_StdioReadline(FILE *sys_stdin, FILE *sys_stdout, const char *prompt)
break;
}
n += strlen(p + n);
} while (p[n-1] != '\n');
} while (n == 0 || p[n-1] != '\n');
Copy link
Member

@vstinner vstinner Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to stop the loop if n==0.

Suggested change
} while (n == 0 || p[n-1] != '\n');
} while (n != 0 && p[n-1] != '\n');

Copy link
Contributor

@sergey-miryanov sergey-miryanov Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then input like b'\x00spam\nham\nspam\n' will stop early. Is this intended?

Copy link
Member

@vstinner vstinner Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure which behavior is the correct behavior honestly.

I suppose that you should call readline again to read spam\n.

Copy link
Member

@vstinner vstinner Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It sounds worth it to add a test at least.

Copy link
Contributor

@sergey-miryanov sergey-miryanov Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then behavior will be different if string starts with NUL byte or has it in the middle. I think we should document this difference.

Copy link
Member

@efimov-mikhail efimov-mikhail Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have this conversation here: #140910 (comment).
Current fix seems to be slightly better for me.


pr = (char *)PyMem_RawRealloc(p, n+1);
if (pr == NULL) {
Expand Down
Loading