Skip to content

gh-144872: fix heap buffer overflow#144807

Open
AdamKorcz wants to merge 5 commits intopython:mainfrom
AdamKorcz:oss-fuzz-fix-1
Open

gh-144872: fix heap buffer overflow#144807
AdamKorcz wants to merge 5 commits intopython:mainfrom
AdamKorcz:oss-fuzz-fix-1

Conversation

@AdamKorcz
Copy link

@AdamKorcz AdamKorcz commented Feb 13, 2026
edited by bedevere-app bot
Loading

oss-fuzz-451112368: fix found crash
d30f29a 
Signed-off-by: Adam <adam@Adam-Workstation.lan>
@bedevere-app
Copy link

bedevere-app bot commented Feb 13, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

standaell1234-maker

This comment was marked as spam.

Sign in to view

@ammaraskar
Copy link
Member

ammaraskar commented Feb 13, 2026

Thanks for the contribution! Would you mind adding a regression test for this in https://github.com/python/cpython/blob/main/Lib/test/test_tokenize.py

@gpshead gpshead self-assigned this Feb 14, 2026
@gpshead @claude
Add a regression test for oss-fuzz-451112368
e9b3683 
Add a test covering truncated multi-byte UTF-8 sequences at end of input.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bedevere-app
Copy link

bedevere-app bot commented Feb 14, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@gpshead
Copy link
Member

gpshead commented Feb 14, 2026

I added a test.

(discussed with PSRT) We're not considering this a security issue, compile() is not safe against untrusted input (nor are the other paths that are actually executing code rather than just compiling it). It can read a couple bytes past the end of the input bytes at most. at worst a crash (ASAN in particular which I believe is how oss-fuzz found it), you'd likely get a SyntaxError as intended otherwise.

@gpshead
Copy link
Member

gpshead commented Feb 14, 2026

We do like to have issues filed to track things - read up on https://devguide.python.org/getting-started/pull-request-lifecycle/#pullrequest
As I believe you're intending to fix up a bunch of fuzzer found items, consider making a tracking issue for similar themes of those "parser crashes" or similar for this one for example - we don't need one issue per item when they aren't actually security related.

while you're working on already public oss-fuzz findings, as they are public it is fine to go ahead and make public PRs.

But if you come across any that seem actually security relevant, please reach out via email to the to PSRT, or since you're producing fix PRs maybe just use https://github.com/python/cpython/security to drop those in GHSA's for us to look over (many will probably be things we just open directly to the public as a non-concern "more of a bug" like this one)

@AdamKorcz AdamKorcz changed the title oss-fuzz-451112368: fix found crash gh-144872: fix found crash Feb 16, 2026
@bedevere-app bedevere-app bot mentioned this pull request Feb 16, 2026
Open
@AdamKorcz
add NEWS entry
2aa5f1e 
Signed-off-by: Adam Korczynski <adam@adalogics.com>
@python-cla-bot
Copy link

python-cla-bot bot commented Feb 16, 2026
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@AdamKorcz AdamKorcz changed the title gh-144872: fix found crash gh-144872: fix heap buffer overflow Feb 16, 2026
aisk
aisk reviewed Feb 16, 2026
View reviewed changes
aisk
aisk reviewed Feb 16, 2026
View reviewed changes
AdamKorcz and others added 2 commits February 16, 2026 15:38
@AdamKorcz @aisk
Update Misc/NEWS.d/next/Library/2026-02-16-12-28-43.gh-issue-144872.k…
8eba1c7 
…9_Q30.rst

Co-authored-by: AN Long <aisk@users.noreply.github.com>
@AdamKorcz @aisk
Update Parser/tokenizer/helpers.c
9edd6f8 
Co-authored-by: AN Long <aisk@users.noreply.github.com>
@AdamKorcz
Copy link
Author

AdamKorcz commented Feb 16, 2026

@aisk thank you, is it me or you who needs to sign the CLA?

@AdamKorcz
Copy link
Author

AdamKorcz commented Feb 16, 2026

@aisk thank you, is it me or you who needs to sign the CLA?

it was me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aisk aisk aisk left review comments

@pablogsal pablogsal Awaiting requested review from pablogsal pablogsal is a code owner

@lysnikolaou lysnikolaou Awaiting requested review from lysnikolaou lysnikolaou is a code owner

+1 more reviewer

@standaell1234-maker standaell1234-maker standaell1234-maker left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@gpshead gpshead

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AdamKorcz @ammaraskar @gpshead @aisk @standaell1234-maker