From b07f546ea3a574bc3016fb023c157c65a47f4849 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Thu, 3 Nov 2022 18:34:32 +0100 Subject: [PATCH] gh-98978: Fix Py_SetPythonHome(NULL) (#99066) Fix use-after-free in Py_SetPythonHome(NULL), Py_SetProgramName(NULL) and _Py_SetProgramFullPath(NULL) function calls. Issue reported by Benedikt Reinartz. --- .../C API/2022-11-03-17-46-41.gh-issue-98978.KJjBvv.rst | 3 +++ Python/pathconfig.c | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 Misc/NEWS.d/next/C API/2022-11-03-17-46-41.gh-issue-98978.KJjBvv.rst diff --git a/Misc/NEWS.d/next/C API/2022-11-03-17-46-41.gh-issue-98978.KJjBvv.rst b/Misc/NEWS.d/next/C API/2022-11-03-17-46-41.gh-issue-98978.KJjBvv.rst new file mode 100644 index 00000000000..b9672728009 --- /dev/null +++ b/Misc/NEWS.d/next/C API/2022-11-03-17-46-41.gh-issue-98978.KJjBvv.rst @@ -0,0 +1,3 @@ +Fix use-after-free in ``Py_SetPythonHome(NULL)``, +``Py_SetProgramName(NULL)`` and ``_Py_SetProgramFullPath(NULL)`` function +calls. Issue reported by Benedikt Reinartz. Patch by Victor Stinner. diff --git a/Python/pathconfig.c b/Python/pathconfig.c index 69b7e10a3b0..be0f97c4b20 100644 --- a/Python/pathconfig.c +++ b/Python/pathconfig.c @@ -261,6 +261,8 @@ Py_SetPythonHome(const wchar_t *home) _PyMem_SetDefaultAllocator(PYMEM_DOMAIN_RAW, &old_alloc); PyMem_RawFree(_Py_path_config.home); + _Py_path_config.home = NULL; + if (has_value) { _Py_path_config.home = _PyMem_RawWcsdup(home); } @@ -282,6 +284,8 @@ Py_SetProgramName(const wchar_t *program_name) _PyMem_SetDefaultAllocator(PYMEM_DOMAIN_RAW, &old_alloc); PyMem_RawFree(_Py_path_config.program_name); + _Py_path_config.program_name = NULL; + if (has_value) { _Py_path_config.program_name = _PyMem_RawWcsdup(program_name); } @@ -302,6 +306,8 @@ _Py_SetProgramFullPath(const wchar_t *program_full_path) _PyMem_SetDefaultAllocator(PYMEM_DOMAIN_RAW, &old_alloc); PyMem_RawFree(_Py_path_config.program_full_path); + _Py_path_config.program_full_path = NULL; + if (has_value) { _Py_path_config.program_full_path = _PyMem_RawWcsdup(program_full_path); }