[3.13] gh-91153: prevent a crash in `bytearray.__setitem__(ind, ...)` when `ind.__ind...

author Bénédikt Tran <10796600+picnixz@users.noreply.github.com>

Sat, 12 Jul 2025 14:34:45 +0000 (16:34 +0200)

committer GitHub <noreply@github.com>

Sat, 12 Jul 2025 14:34:45 +0000 (16:34 +0200)
author Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Sat, 12 Jul 2025 14:34:45 +0000 (16:34 +0200)
committer GitHub <noreply@github.com>
Sat, 12 Jul 2025 14:34:45 +0000 (16:34 +0200)
diff --git a/Lib/test/test_bytes.py b/Lib/test/test_bytes.py

index f8edfe0a17a45d644409ee52922bd22fd78c7560..b8f2a0217685b2f433e3300935c845acc4d0afae 100644 (file)
--- a/Lib/test/test_bytes.py
+++ b/Lib/test/test_bytes.py
@@ -1827,6 +1827,8 @@ class ByteArrayTest(BaseBytesTest, unittest.TestCase):
          self.assertEqual(b3, b'xcxcxc')
  
      def test_mutating_index(self):
+        # bytearray slice assignment can call into python code
+        # that reallocates the internal buffer
          # See gh-91153
  
          class Boom:
@@ -1844,6 +1846,39 @@ class ByteArrayTest(BaseBytesTest, unittest.TestCase):
              with self.assertRaises(IndexError):
                  self._testlimitedcapi.sequence_setitem(b, 0, Boom())
  
+    def test_mutating_index_inbounds(self):
+        # gh-91153 continued
+        # Ensure buffer is not broken even if length is correct
+
+        class MutatesOnIndex:
+            def __init__(self):
+                self.ba = bytearray(0x180)
+
+            def __index__(self):
+                self.ba.clear()
+                self.new_ba = bytearray(0x180)  # to catch out-of-bounds writes
+                self.ba.extend([0] * 0x180)     # to check bounds checks
+                return 0
+
+        with self.subTest("skip_bounds_safety"):
+            instance = MutatesOnIndex()
+            instance.ba[instance] = ord("?")
+            self.assertEqual(instance.ba[0], ord("?"), "Assigned bytearray not altered")
+            self.assertEqual(instance.new_ba, bytearray(0x180), "Wrong object altered")
+
+        with self.subTest("skip_bounds_safety_capi"):
+            instance = MutatesOnIndex()
+            instance.ba[instance] = ord("?")
+            self._testlimitedcapi.sequence_setitem(instance.ba, instance, ord("?"))
+            self.assertEqual(instance.ba[0], ord("?"), "Assigned bytearray not altered")
+            self.assertEqual(instance.new_ba, bytearray(0x180), "Wrong object altered")
+
+        with self.subTest("skip_bounds_safety_slice"):
+            instance = MutatesOnIndex()
+            instance.ba[instance:1] = [ord("?")]
+            self.assertEqual(instance.ba[0], ord("?"), "Assigned bytearray not altered")
+            self.assertEqual(instance.new_ba, bytearray(0x180), "Wrong object altered")
+
  
  class AssortedBytesTest(unittest.TestCase):
      #
diff --git a/Misc/NEWS.d/next/Core and Builtins/2025-05-17-20-56-05.gh-issue-91153.afgtG2.rst b/Misc/NEWS.d/next/Core and Builtins/2025-05-17-20-56-05.gh-issue-91153.afgtG2.rst

new file mode 100644 (file)

index 0000000..dc2f1e2
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2025-05-17-20-56-05.gh-issue-91153.afgtG2.rst
@@ -0,0 +1 @@
+Fix a crash when a :class:`bytearray` is concurrently mutated during item assignment.
diff --git a/Objects/bytearrayobject.c b/Objects/bytearrayobject.c

index a67f41bbfc7039fb5a0c136ba8e856e55548d09f..5382b1bdfa59aa00a4d801b67ceb8783e7be410e 100644 (file)
--- a/Objects/bytearrayobject.c
+++ b/Objects/bytearrayobject.c
@@ -591,8 +591,10 @@ static int
  bytearray_ass_subscript(PyByteArrayObject *self, PyObject *index, PyObject *values)
  {
      Py_ssize_t start, stop, step, slicelen, needed;
-    char *buf, *bytes;
-    buf = PyByteArray_AS_STRING(self);
+    char *bytes;
+    // Do not store a reference to the internal buffer since
+    // index.__index__() or _getbytevalue() may alter 'self'.
+    // See https://github.com/python/cpython/issues/91153.
  
      if (_PyIndex_Check(index)) {
          Py_ssize_t i = PyNumber_AsSsize_t(index, PyExc_IndexError);
@@ -627,7 +629,7 @@ bytearray_ass_subscript(PyByteArrayObject *self, PyObject *index, PyObject *valu
          }
          else {
              assert(0 <= ival && ival < 256);
-            buf[i] = (char)ival;
+            PyByteArray_AS_STRING(self)[i] = (char)ival;
              return 0;
          }
      }
@@ -682,6 +684,7 @@ bytearray_ass_subscript(PyByteArrayObject *self, PyObject *index, PyObject *valu
              /* Delete slice */
              size_t cur;
              Py_ssize_t i;
+            char *buf = PyByteArray_AS_STRING(self);
  
              if (!_canresize(self))
                  return -1;
@@ -722,6 +725,7 @@ bytearray_ass_subscript(PyByteArrayObject *self, PyObject *index, PyObject *valu
              /* Assign slice */
              Py_ssize_t i;
              size_t cur;
+            char *buf = PyByteArray_AS_STRING(self);
  
              if (needed != slicelen) {
                  PyErr_Format(PyExc_ValueError,
author	Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
	Sat, 12 Jul 2025 14:34:45 +0000 (16:34 +0200)
committer	GitHub <noreply@github.com>
	Sat, 12 Jul 2025 14:34:45 +0000 (16:34 +0200)
Lib/test/test_bytes.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Core and Builtins/2025-05-17-20-56-05.gh-issue-91153.afgtG2.rst	[new file with mode: 0644]	patch \| blob
Objects/bytearrayobject.c		patch \| blob \| blame \| history