fix: crash .TextIOWrapper.seek with a custom __int__ method detaches

yihong0618 · yihong0618 · commit 1eb62a4a8f89 · 2025-12-22T22:18:50.000+08:00
Signed-off-by: yihong0618 &lt;zouzou0208@gmail.com&gt;
diff --git a/Lib/test/test_io/test_textio.py b/Lib/test/test_io/test_textio.py
@@ -1560,6 +1560,23 @@ def closed(self):
         wrapper = self.TextIOWrapper(raw)
         wrapper.close()  # should not crash
 
+    def test_issue143007(self):
+        # gh-143007: Null pointer dereference in TextIOWrapper.seek
+        # via re-entrant __int__
+        wrapper = self.TextIOWrapper(self.BytesIO(b"x"))
+
+        class Cookie(int):
+            def __new__(cls, wrapper):
+                obj = int.__new__(cls, 0)
+                obj.wrapper = wrapper
+                return obj
+            def __int__(self):
+                self.wrapper.detach()
+                return 0
+
+        with self.assertRaises(ValueError):
+            wrapper.seek(Cookie(wrapper), 0)  # should not crash
+
 
 class PyTextIOWrapperTest(TextIOWrapperTest, PyTestCase):
     shutdown_error = "LookupError: unknown encoding: ascii"
diff --git a/Misc/NEWS.d/next/Library/2025-12-21-21-30-48.gh-issue-143007.EtzUva.rst b/Misc/NEWS.d/next/Library/2025-12-21-21-30-48.gh-issue-143007.EtzUva.rst
@@ -0,0 +1,2 @@
+Fix crash in :meth:`io.TextIOWrapper.seek` when a custom cookie's
+``__int__`` method detaches the underlying buffer.
diff --git a/Modules/_io/textio.c b/Modules/_io/textio.c
@@ -2416,13 +2416,22 @@ typedef struct {
 #endif
 
 static int
-textiowrapper_parse_cookie(cookie_type *cookie, PyObject *cookieObj)
+textiowrapper_parse_cookie(textio *self, cookie_type *cookie, PyObject *cookieObj)
 {
     unsigned char buffer[COOKIE_BUF_LEN];
     PyLongObject *cookieLong = (PyLongObject *)PyNumber_Long(cookieObj);
     if (cookieLong == NULL)
         return -1;
 
+    // gh-143007: PyNumber_Long can call arbitrary code through __int__
+    // which may detach the underlying buffer.
+    if (self->detached) {
+        Py_DECREF(cookieLong);
+        PyErr_SetString(PyExc_ValueError,
+                        "underlying buffer has been detached");
+        return -1;
+    }
+
     if (_PyLong_AsByteArray(cookieLong, buffer, sizeof(buffer),
                             PY_LITTLE_ENDIAN, 0, 1) < 0) {
         Py_DECREF(cookieLong);
@@ -2637,7 +2646,7 @@ _io_TextIOWrapper_seek_impl(textio *self, PyObject *cookieObj, int whence)
     /* The strategy of seek() is to go back to the safe start point
      * and replay the effect of read(chars_to_skip) from there.
      */
-    if (textiowrapper_parse_cookie(&cookie, cookieObj) < 0)
+    if (textiowrapper_parse_cookie(self, &cookie, cookieObj) < 0)
         goto fail;
 
     /* Seek back to the safe start point. */

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix crash in :meth:`io.TextIOWrapper.seek` when a custom cookie's
	`2`	+``__int__`` method detaches the underlying buffer.