Use-after-free in unicode_escape decoder with error handler
#133767
Assignees
Labels
3.9
only security fixes
3.10
only security fixes
3.11
only security fixes
3.12
only security fixes
3.13
bugs and security fixes
3.14
bugs and security fixes
3.15
new features, bugs and security fixes
interpreter-core
(Objects, Python, Grammar, and Parser dirs)
release-blocker
topic-unicode
type-crash
A hard crash of the interpreter, possibly with a core dump
type-security
A security issue
Comments
sethmlarson
added
the
type-crash
sethmlarson
changed the title
unicode_escape decoder with error handler
picnixz
added
interpreter-core
serhiy-storchaka
added a commit
that referenced
this issue
May 12, 2025
…rror handler (GH-129648) If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal(). _PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal().
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this issue
May 12, 2025
…h an error handler (pythonGH-129648) If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal(). _PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal(). (cherry picked from commit 9f69a58) Co-authored-by: Serhiy Storchaka <[email protected]>
serhiy-storchaka
added a commit
to serhiy-storchaka/cpython
that referenced
this issue
May 12, 2025
…der with an error handler (pythonGH-129648) If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal(). _PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal(). (cherry picked from commit 9f69a58) Co-authored-by: Serhiy Storchaka <[email protected]>
serhiy-storchaka
added a commit
that referenced
this issue
May 13, 2025
…th an error handler (GH-129648) (GH-133942) If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal(). _PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal(). (cherry picked from commit 9f69a58) Co-authored-by: Serhiy Storchaka <[email protected]>
This was referenced May 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Crash report
What happened?
When using
.decode("unicode_escape")with an error handler there is a use-after-free segfault.CPython versions tested on:
CPython main branch
Operating systems tested on:
No response
Output from running 'python -VV' on the command line:
No response
Linked PRs
The text was updated successfully, but these errors were encountered: