Skip to content

gh-143546: Fix heap buffer overflow in set_clear_internal #143628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aviralgarg05 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

gh-143546: Fix heap buffer overflow in set_clear_internal #143628

aviralgarg05 wants to merge 3 commits into from
+38 −1

Conversation

@aviralgarg05
Copy link

@aviralgarg05 aviralgarg05 commented Jan 9, 2026

This PR fixes a heap buffer overflow vulnerability in set_clear_internal (Issue gh-143546).

The Issue

The function set_clear_internal could read past the end of the allocated table buffer if the set's used count became inconsistent with the actual table state. This inconsistency occurs due to re-entrancy: if eq is invoked on a set element during an intersection operation (e.g., set_iand), user code can mutate the set (clearing or resizing it) while the interpreter is still holding pointers to the old table.

The Fix

I added a bounds check to the clearing loop in set_clear_internal. The loop condition now strictly enforces entry < table + oldsize in addition to checking used > 0. This guarantees that the loop terminates safely before accessing invalid memory, even if so->used is corrupted or inconsistent with the current table size.

Testing

Added a new regression test test_reentrant_clear_in_iand in Lib/test/test_set.py. This test reproduces the crash scenario by defining a custom object with a re-entrant eq method that clears the set during a set_iand (&=) operation.

@aviralgarg05
Fix heap buffer overflow in set_clear_internal (pythonGH-143546)
574cb34 
Added a bounds check in set_clear_internal to prevent heap buffer overflow when the set is mutated re-entrantly during iteration (e.g. via __eq__).
Added regression test in Lib/test/test_set.py.
@bedevere-app
Copy link

bedevere-app bot commented Jan 9, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@python-cla-bot
Copy link

python-cla-bot bot commented Jan 9, 2026
edited
Loading

All commit authors signed the Contributor License Agreement.

CLA signed

@bedevere-app bedevere-app bot mentioned this pull request Jan 9, 2026
Open
@aviralgarg05

This comment was marked as resolved.

Sign in to view
@skirpichev skirpichev removed their request for review January 11, 2026 07:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skirpichev skirpichev skirpichev left review comments

@rhettinger rhettinger Awaiting requested review from rhettinger rhettinger is a code owner

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aviralgarg05 @skirpichev