Issue #24613: Calling array.fromstring() with self is no longer allowed

to prevent the use-after-free error.  Patch by John Leitch.

diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py
index 105cf73946401a41b0d961e6dc2234796c39184a..9f5c09d8cbbb71556a7ced69ff842f1e9bca4d7c 100644 (file)
--- a/Lib/test/test_array.py
+++ b/Lib/test/test_array.py
@@ -247,6 +247,7 @@ class BaseTest(unittest.TestCase):
         self.assertRaises(TypeError, a.tostring, 42)
         self.assertRaises(TypeError, b.fromstring)
         self.assertRaises(TypeError, b.fromstring, 42)
+        self.assertRaises(ValueError, a.fromstring, a)
         b.fromstring(a.tostring())
         self.assertEqual(a, b)
         if a.itemsize>1:

diff --git a/Misc/NEWS b/Misc/NEWS
index 273b1161a792f429fa32d7523f31de9c2e964ccf..2fd418d3180d39e577e1608654873eebebb59498 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -34,6 +34,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #24613: Calling array.fromstring() with self is no longer allowed
+  to prevent the use-after-free error.  Patch by John Leitch.
+
 - Issue #24708: Fix possible integer overflow in strop.replace().
 
 - Issue #24620: Random.setstate() now validates the value of state last element.

diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c
index 3ed8a33ad7649316895fd65ae3b327607a0d9ae9..1d1f0d3845cc1cc5bac42181adab491e0f346312 100644 (file)
--- a/Modules/arraymodule.c
+++ b/Modules/arraymodule.c
@@ -1380,6 +1380,11 @@ array_fromstring(arrayobject *self, PyObject *args)
     int itemsize = self->ob_descr->itemsize;
     if (!PyArg_ParseTuple(args, "s#:fromstring", &str, &n))
         return NULL;
+    if (str == self->ob_item) {
+        PyErr_SetString(PyExc_ValueError,
+                        "array.fromstring(x): x cannot be self");
+        return NULL;
+    }
     if (n % itemsize != 0) {
         PyErr_SetString(PyExc_ValueError,
                    "string length not a multiple of item size");