1berry/cpython
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

When the Py_CompileStringExFlags fuzzer encounters a SystemError, abort (#115147)

Browse Source 
This allows us to catch bugs beyond memory corruption and assertions.
This commit is contained in:
Alex Gaynor 2024-02-07 17:21:33 -05:00 committed by GitHub
parent 8f0998e844
commit 38b970dfcc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Modules/_xxtestfuzz/fuzzer.c
View File

@ -502,7 +502,6 @@ static int fuzz_elementtree_parsewhole(const char* data, size_t size) {
} }
#define MAX_PYCOMPILE_TEST_SIZE 16384 #define MAX_PYCOMPILE_TEST_SIZE 16384
static char pycompile_scratch[MAX_PYCOMPILE_TEST_SIZE];
static const int start_vals[] = {Py_eval_input, Py_single_input, Py_file_input}; static const int start_vals[] = {Py_eval_input, Py_single_input, Py_file_input};
const size_t NUM_START_VALS = sizeof(start_vals) / sizeof(start_vals[0]); const size_t NUM_START_VALS = sizeof(start_vals) / sizeof(start_vals[0]);
@ -531,6 +530,8 @@ static int fuzz_pycompile(const char* data, size_t size) {
unsigned char optimize_idx = (unsigned char) data[1]; unsigned char optimize_idx = (unsigned char) data[1];
int optimize = optimize_vals[optimize_idx % NUM_OPTIMIZE_VALS]; int optimize = optimize_vals[optimize_idx % NUM_OPTIMIZE_VALS];
char pycompile_scratch[MAX_PYCOMPILE_TEST_SIZE];
// Create a NUL-terminated C string from the remaining input // Create a NUL-terminated C string from the remaining input
memcpy(pycompile_scratch, data + 2, size - 2); memcpy(pycompile_scratch, data + 2, size - 2);
// Put a NUL terminator just after the copied data. (Space was reserved already.) // Put a NUL terminator just after the copied data. (Space was reserved already.)
@ -549,7 +550,13 @@ static int fuzz_pycompile(const char* data, size_t size) {
PyObject *result = Py_CompileStringExFlags(pycompile_scratch, "<fuzz input>", start, flags, optimize); PyObject *result = Py_CompileStringExFlags(pycompile_scratch, "<fuzz input>", start, flags, optimize);
if (result == NULL) { if (result == NULL) {
/* compilation failed, most likely from a syntax error */ /* Compilation failed, most likely from a syntax error. If it was a
SystemError we abort. There's no non-bug reason to raise a
SystemError. */
if (PyErr_Occurred() && PyErr_ExceptionMatches(PyExc_SystemError)) {
PyErr_Print();
abort();
}
PyErr_Clear(); PyErr_Clear();
} else { } else {
Py_DECREF(result); Py_DECREF(result);