Skip to content

gh-144475: Fix a heap buffer overflow in partial_repr#144571

Open
bkap123 wants to merge 18 commits intopython:mainfrom
bkap123:fix-functools_partial_repr_bug
Open

gh-144475: Fix a heap buffer overflow in partial_repr#144571
bkap123 wants to merge 18 commits intopython:mainfrom
bkap123:fix-functools_partial_repr_bug

Conversation

@bkap123
Copy link

@bkap123 bkap123 commented Feb 7, 2026
edited by bedevere-app bot
Loading

@bkap123 bkap123 requested a review from rhettinger as a code owner February 7, 2026 16:19
@python-cla-bot
Copy link

python-cla-bot bot commented Feb 7, 2026
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app bedevere-app bot mentioned this pull request Feb 7, 2026
Open
@bedevere-app
Copy link

bedevere-app bot commented Feb 7, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@picnixz
Copy link
Member

picnixz commented Feb 7, 2026
edited
Loading

Please:

  • add regression tests and check that the test failed before your change
  • remove blank lines in NEWS

picnixz
picnixz reviewed Feb 7, 2026
View reviewed changes
picnixz
picnixz reviewed Feb 7, 2026
View reviewed changes
@picnixz
Copy link
Member

picnixz commented Feb 7, 2026
edited
Loading

By the way, @dr-carlos already suggested to open a PR. It is polite to ask them if they want to contribute themselves. As such, I'm going to close this one unless they are fine with you making the PR (we don't really want people "sniping" work of others)

@bkap123
Copy link
Author

bkap123 commented Feb 7, 2026

Thanks for the feedback. I missed that @dr-carlos suggested to fix it.

I’m happy to close this PR if @dr-carlos is already working on it.

@bkap123 @picnixz
Apply suggestion from @picnixz
e53d7e9 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@dr-carlos
Copy link
Contributor

dr-carlos commented Feb 7, 2026

Thanks for the feedback. I missed that @dr-carlos suggested to fix it.

I’m happy to close this PR if @dr-carlos is already working on it.

Hi, thanks for asking!
I'm happy for you to continue with the PR :)

dr-carlos
dr-carlos reviewed Feb 7, 2026
View reviewed changes
@bkap123
Copy link
Author

bkap123 commented Feb 8, 2026
edited
Loading

Here are the changes I made:

  • I added a kw local pointer, as a similar segfault happens for keywords
  • I added an fn local pointer so that repr uses its original state when generating its final representation.
  • I got rid of the error goto and merged it with the done goto as I needed to decrement the reference count of fn, args, and kw, and I found that decrementing them in the done goto was the easiest.
    Update: I changed the goto logic to reduce repetitive calls to Py_DECREF
  • I added a test based on @Qanux's original code in issue heap-buffer-overflow in functools.partial.__repr__() #144475. I extended it to also check for changes in the fn and kw arguments.

caje731
caje731 reviewed Feb 9, 2026
View reviewed changes
Modules/_functoolsmodule.c
Py_DECREF(args);
Py_DECREF(kw);
Py_ReprLeave(self);
return result;
Copy link
Contributor

@caje731 caje731 Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this return made sense when the label was 'done'.
Do we still want a side-effect of "return" for a label that "frees arguments"?
Or maybe we keep the "done" label?

Copy link
Author

@bkap123 bkap123 Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not exactly sure. I could see arguments for and against adding a done label before the return.

Personally, I don't think it is necessary, as it would never be used. Since the function returns NULL in the case of an error before a new reference is called to the arguments, adding a done label could be a bit misleading. It might suggest that the done label is called if the function needs to return before the fn, args, and kw point to the arguments, as that is the pattern for the other labels.

I would like to get other people's thoughts on this.

Copy link
Author

@bkap123 bkap123 Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, since each of the three labels will only be jumped to on an error, a better solution might be to rename each of the labels to the specific error that occurs rather than what gets freed. That way, it makes more sense why the function returns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz left review comments

@rhettinger rhettinger Awaiting requested review from rhettinger rhettinger is a code owner

+2 more reviewers

@caje731 caje731 caje731 left review comments

@dr-carlos dr-carlos dr-carlos left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bkap123 @picnixz @dr-carlos @caje731