Skip to content

gh-143007: fix crash .TextIOWrapper.seek with a custom __int__ method detaches #143043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yihong0618 wants to merge 6 commits into
base: main
Choose a base branch
from
Open

gh-143007: fix crash .TextIOWrapper.seek with a custom __int__ method detaches #143043

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f7cc7c4
fix: crash .TextIOWrapper.seek with a custom __int__ method detaches
yihong0618 Dec 21, 2025
1eb62a4
fix: crash .TextIOWrapper.seek with a custom __int__ method detaches
yihong0618 Dec 21, 2025
af070ea
fix: apply suggestions
yihong0618 Dec 22, 2025
6f5c111
Merge branch 'hy/close_issue_143007' of https://github.com/yihong0618…
yihong0618 Dec 22, 2025
bb5185d
fix: drop wrong fix
yihong0618 Dec 22, 2025
290be4f
fix: lint
yihong0618 Dec 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions Lib/test/test_io/test_textio.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1560,6 +1560,23 @@ def closed(self):
wrapper = self.TextIOWrapper(raw)
wrapper.close() # should not crash

def test_issue143007(self):
# gh-143007: Null pointer dereference in TextIOWrapper.seek
# via re-entrant __int__
wrapper = self.TextIOWrapper(self.BytesIO(b"x"))

class Cookie(int):
def __new__(cls, wrapper):
obj = int.__new__(cls, 0)
obj.wrapper = wrapper
return obj
def __int__(self):
self.wrapper.detach()
return 0

with self.assertRaises(ValueError):
wrapper.seek(Cookie(wrapper), 0) # should not crash


class PyTextIOWrapperTest(TextIOWrapperTest, PyTestCase):
shutdown_error = "LookupError: unknown encoding: ascii"
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2025-12-21-21-30-48.gh-issue-143007.EtzUva.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix crash in :meth:`io.TextIOWrapper.seek` when a custom cookie's
``__int__`` method detaches the underlying buffer.
13 changes: 11 additions & 2 deletions Modules/_io/textio.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2416,13 +2416,22 @@ typedef struct {
#endif

static int
textiowrapper_parse_cookie(cookie_type *cookie, PyObject *cookieObj)
textiowrapper_parse_cookie(textio *self, cookie_type *cookie, PyObject *cookieObj)
{
unsigned char buffer[COOKIE_BUF_LEN];
PyLongObject *cookieLong = (PyLongObject *)PyNumber_Long(cookieObj);
if (cookieLong == NULL)
return -1;

// gh-143007: PyNumber_Long can call arbitrary code through __int__
// which may detach the underlying buffer.
if (self->detached) {
Copy link
Contributor

@cmaloney cmaloney Dec 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this isn't the right place to add the check, the _PyFile_Flush just before this could result in the same issue, and the cookie's buffer / decoding into it isn't what actually breaks (the buffer in this function is locally allocated, the cookie should be valid the whole time of this function).

I think this should do a CHECK_ATTACHED like check just before the res = PyObject_CallMethodOneArg(self->buffer, &_Py_ID(seek), posobj); as that's what is doing the self->buffer usage/call/dereference.

Copy link
Contributor Author

@yihong0618 yihong0618 Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but it is my first solution
an rethink that we can forget add in the future in other place

CHECK_ATTACHED and check it in the middle of the code is not match its name

Copy link
Contributor Author

@yihong0618 yihong0618 Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed back to the first way as you suggestion thank you

Py_DECREF(cookieLong);
PyErr_SetString(PyExc_ValueError,
"underlying buffer has been detached");
return -1;
}

if (_PyLong_AsByteArray(cookieLong, buffer, sizeof(buffer),
PY_LITTLE_ENDIAN, 0, 1) < 0) {
Py_DECREF(cookieLong);
Expand Down Expand Up @@ -2637,7 +2646,7 @@ _io_TextIOWrapper_seek_impl(textio *self, PyObject *cookieObj, int whence)
/* The strategy of seek() is to go back to the safe start point
* and replay the effect of read(chars_to_skip) from there.
*/
if (textiowrapper_parse_cookie(&cookie, cookieObj) < 0)
if (textiowrapper_parse_cookie(self, &cookie, cookieObj) < 0)
goto fail;

/* Seek back to the safe start point. */
Expand Down
Loading