bpo-41175: Guard against a NULL pointer dereference within bytearrayobject (GH-21240)

The issue is triggered by the bytearray() + bytearray() operation.

Detected by GCC 10 static analysis tool.
(cherry picked from commit 61fc23ca106bc82955b0e59d1ab42285b94899e2)

Co-authored-by: stratakis <cstratak@redhat.com>

diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst b/Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst
new file mode 100644 (file)
index 0000000..844fb80
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2020-06-30-20-17-31.bpo-41175.acJoXB.rst
@@ -0,0 +1,2 @@
+Guard against a NULL pointer dereference within bytearrayobject triggered by
+the ``bytearray() + bytearray()`` operation.

diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c
index 590b8060561868157ca4c289317ed0080f45cbe8..d4d02336b6cf036289158c63e64e70ee0e66c2c9 100644 (file)
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -276,7 +276,9 @@ PyByteArray_Concat(PyObject *a, PyObject *b)
 
     result = (PyByteArrayObject *) \
         PyByteArray_FromStringAndSize(NULL, va.len + vb.len);
-    if (result != NULL) {
+    // result->ob_bytes is NULL if result is an empty string:
+    // if va.len + vb.len equals zero.
+    if (result != NULL && result->ob_bytes != NULL) {
         memcpy(result->ob_bytes, va.buf, va.len);
         memcpy(result->ob_bytes + va.len, vb.buf, vb.len);
     }