A bunch of OOB Reads and segfaults with crafted bytecodes #140211
Description
Bug report
Bug description:
Hi folks,
I recently noticed that cpython bytecode executor can potentially have OOB reads while executing a malformed bytecode.
The root cause is the code in here: The lack of boundary checking in release mode.
GETITEM macro is used to access code.co_names and code.co_consts while executing LOAD_CONST, STORE_NAME, STORE_GLOBAL and 20 more instructions (search for GETITEM usage in generated_cases.c.h file). If their arguments are bigger than the length of co_consts or co_names, it will access an element outside the bounds of these tuples.
This behavior causes assertion failures in debug mode and segmentation faults in release mode.
Here's an example of such a payload misusing LOAD_CONST: load_const_oob_read.cpython-315.zip
P.S. I'm not sure what the general approach is for these kinds of bugs, or if they are even considered bugs. If so, I have a bunch of such crashes in my pocket, and we can discuss them later in other issues. For now, I'm just reporting this one to see how relevant they are and not to overwhelm you, the maintainers, with a bunch of invalid issues.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux