Skip to content

Commit ad57b62

Browse files
committed
gh-152682: Fix NULL dereference on OOM in symtable_visit_type_param_bound_or_default
In symtable_visit_type_param_bound_or_default(), when a reserved name (e.g. __classdict__) is used as a type parameter, PyUnicode_FromFormat() is called to build the SyntaxError message. If the allocation fails and returns NULL, the subsequent PyErr_SetObject() and Py_DECREF() calls would dereference NULL, causing a segfault. Fix by returning 0 immediately when PyUnicode_FromFormat() returns NULL. This propagates the MemoryError set by PyUnicode_FromFormat(). The bug was introduced in gh-128632 (commit 891c61c).
1 parent ecdef17 commit ad57b62

3 files changed

Lines changed: 23 additions & 0 deletions

File tree

Lib/test/test_syntax.py

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2861,6 +2861,7 @@ def f(x: *b)
28612861
import unittest
28622862

28632863
from test import support
2864+
from test.support.script_helper import assert_python_ok
28642865

28652866
class SyntaxWarningTest(unittest.TestCase):
28662867
def check_warning(self, code, errtext, filename="<testcase>", mode="exec"):
@@ -3201,6 +3202,22 @@ class A:
32013202
class B[{name}]: pass
32023203
""", "<testcase>", mode="exec")
32033204

3205+
@support.nomemtest
3206+
def test_disallowed_type_param_names_oom(self):
3207+
# gh-152682: Don't crash on OOM when formatting the SyntaxError message
3208+
# in symtable_visit_type_param_bound_or_default.
3209+
code = textwrap.dedent("""\
3210+
import _testcapi
3211+
_testcapi.set_nomemory(0)
3212+
try:
3213+
compile("class A[__classdict__]: pass", "<string>", "exec")
3214+
except MemoryError:
3215+
pass
3216+
else:
3217+
raise RuntimeError('MemoryError not raised')
3218+
""")
3219+
assert_python_ok("-c", code)
3220+
32043221
@support.cpython_only
32053222
def test_nested_named_except_blocks(self):
32063223
code = ""
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
Fix NULL pointer dereference in :func:`compile` when a reserved name (e.g.
2+
``__classdict__``) is used as a type parameter name and memory allocation
3+
fails while formatting the error message.

Python/symtable.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2678,6 +2678,9 @@ symtable_visit_type_param_bound_or_default(
26782678

26792679
PyObject *error_msg = PyUnicode_FromFormat("reserved name '%U' cannot be "
26802680
"used for type parameter", name);
2681+
if (error_msg == NULL) {
2682+
return 0;
2683+
}
26812684
PyErr_SetObject(PyExc_SyntaxError, error_msg);
26822685
Py_DECREF(error_msg);
26832686
SET_ERROR_LOCATION(st->st_filename, LOCATION(tp));

0 commit comments

Comments
 (0)