gh-146525: Add ndim validation to PyBuffer_ToContiguous for defense-in-depth#146523
gh-146525: Add ndim validation to PyBuffer_ToContiguous for defense-in-depth#146523l3tchupkt wants to merge 1 commit intopython:mainfrom
Conversation
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
ea5336e to
f651393
Compare
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
e01f2f6 to
8215d60
Compare
Objects/memoryobject.c
Outdated
| /* Validate ndim to prevent potential integer overflow in allocation. | ||
| * While Python-level code enforces PyBUF_MAX_NDIM, C extensions could | ||
| * potentially provide invalid values. This is a defense-in-depth check. */ | ||
| if (src->ndim < 0 || src->ndim > PyBUF_MAX_NDIM) { |
There was a problem hiding this comment.
I don't think it's really necessary:
- we already document that
ndimmust be valid: https://docs.python.org/3/c-api/buffer.html#c.Py_buffer.ndim. - if this check is needed, we also need to update the docs.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
8215d60 to
f042fa6
Compare
Summary
Add validation of the
ndimparameter inPyBuffer_ToContiguous()to prevent potential integer overflow in memory allocation calculations. This is a defense-in-depth hardening measure.Fixes #146525
Problem
The allocation in
PyBuffer_ToContiguous():Could theoretically overflow if
ndimis excessively large. While Python-level code already enforcesPyBUF_MAX_NDIM(64), C extensions implementing customgetbufferproccould potentially provide invalidndimvalues.Solution
Add explicit validation before allocation to ensure
ndimis within the valid range (0 toPyBUF_MAX_NDIM).Changes
Objects/memoryobject.c:
PyBuffer_ToContiguous()to checkndimis within valid range (0-64)buffer_to_contiguous()for consistencyLib/test/test_memoryview.py:
test_ndim_limit()test case to verify:ndim > 64raisesValueErrorndimis rejectedMisc/NEWS.d/next/C_API/2026-03-27-00-00-00.gh-146525.abc123.rst:
Testing
All existing tests pass:
python -m test test_memoryview(140 tests OK)New validation test passes
Verified the fix correctly rejects invalid ndim values
Security Classification
This is a hardening improvement, not a fix for an actively exploitable vulnerability.
No CVE is warranted because:
ndim > ~3.8×10^17on 64-bit systems, which is not practically achievablePyBUF_MAX_NDIM(64)ndimvaluesWhy This Matters
PyBUF_MAX_NDIMndimin the C APIAuthor: Lakshmikanthan K (badassletchu@gmail.com)