Bug report
Bug description:
The C implementation of bytearray.extend() acquires the argument's buffer
(running its __buffer__()) before clamping the append range, then clamps only
the high bound to the current size. A __buffer__ that shrinks the bytearray
leaves the low bound past the high bound, so extend runs a negative-size
memmove (an out-of-bounds write; SIGABRT on a debug build).
b = bytearray(b'x' * 100)
class Evil:
def __buffer__(self, flags):
b.clear()
return memoryview(b'ABCDEFGH')
b.extend(Evil()) # out-of-bounds write
bytearray.__iadd__ re-reads the size after acquiring the buffer; extend()
does not.
CPython versions tested on:
3.13, 3.14, 3.15, 3.16
Operating systems tested on:
macOS
Linked PRs
Bug report
Bug description:
The C implementation of
bytearray.extend()acquires the argument's buffer(running its
__buffer__()) before clamping the append range, then clamps onlythe high bound to the current size. A
__buffer__that shrinks the bytearrayleaves the low bound past the high bound, so
extendruns a negative-sizememmove(an out-of-bounds write; SIGABRT on a debug build).bytearray.__iadd__re-reads the size after acquiring the buffer;extend()does not.
CPython versions tested on:
3.13, 3.14, 3.15, 3.16
Operating systems tested on:
macOS
Linked PRs