KEMBAR78
[3.14] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) by miss-islington · Pull Request #133942 · python/cpython · GitHub
Skip to content

[3.14] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) #133942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 13, 2025
Merged

[3.14] gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648) #133942

merged 2 commits into from
May 13, 2025
+160 −80

Conversation

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented May 12, 2025
edited by bedevere-app bot
Loading

If the error handler is used, a new bytes object is created to set as
the object attribute of UnicodeDecodeError, and that bytes object then
replaces the original data. A pointer to the decoded data will became invalid
after destroying that temporary bytes object. So we need other way to return
the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().

_PyBytes_DecodeEscape() does not have such issue, because it does not
use the error handlers registry, but it should be changed for compatibility
with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58)

Co-authored-by: Serhiy Storchaka storchaka@gmail.com

@serhiy-storchaka @miss-islington
pythongh-133767: Fix use-after-free in the unicode-escape decoder wit…
62bb911 
…h an error handler (pythonGH-129648)

If the error handler is used, a new bytes object is created to set as
the object attribute of UnicodeDecodeError, and that bytes object then
replaces the original data. A pointer to the decoded data will became invalid
after destroying that temporary bytes object. So we need other way to return
the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal().

_PyBytes_DecodeEscape() does not have such issue, because it does not
use the error handlers registry, but it should be changed for compatibility
with _PyUnicode_DecodeUnicodeEscapeInternal().
(cherry picked from commit 9f69a58)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app bot mentioned this pull request May 12, 2025
Closed
@bedevere-app bedevere-app bot added the type-security A security issue label May 12, 2025
@bedevere-app bedevere-app bot mentioned this pull request May 12, 2025
Merged
@serhiy-storchaka serhiy-storchaka requested a review from encukou as a code owner May 13, 2025 10:14
@serhiy-storchaka serhiy-storchaka merged commit 69b4387 into python:3.14 May 13, 2025
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pablogsal pablogsal Awaiting requested review from pablogsal pablogsal is a code owner

@lysnikolaou lysnikolaou Awaiting requested review from lysnikolaou lysnikolaou is a code owner

@encukou encukou Awaiting requested review from encukou encukou is a code owner

Assignees

No one assigned

Labels

type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miss-islington @serhiy-storchaka