AtomMethodWrapper's PyType_Spec at methodwrapper.cpp:213 specifies sizeof(MethodWrapper) as tp_basicsize. But AtomMethodWrapper has a CAtomPointer pointer member that MethodWrapper does not:
struct MethodWrapper {
PyObject_HEAD
PyObject* im_func;
PyObject* im_selfref;
};
struct AtomMethodWrapper {
PyObject_HEAD
PyObject* im_func;
CAtomPointer pointer; // additional member
};Currently both structs happen to be the same size (one PyObject* vs one CAtomPointer which contains a CAtom*), so this is accidentally benign. But it is clearly a copy-paste bug from the MethodWrapper spec, and if the structs ever diverge in size, PyType_GenericNew would allocate too little memory and new(&wrapper->pointer) CAtomPointer(...) at methodwrapper.cpp:252 would write past the allocated block — heap buffer overflow.
Fix (methodwrapper.cpp:213):
PyType_Spec AtomMethodWrapper::TypeObject_Spec = {
PACKAGE_TYPENAME( "AtomMethodWrapper" ),
sizeof( AtomMethodWrapper ), // was sizeof( MethodWrapper )
0,
Py_TPFLAGS_DEFAULT,
AtomMethodWrapper_Type_slots
};Found by cext-review-toolkit.
AtomMethodWrapper'sPyType_Specatmethodwrapper.cpp:213specifiessizeof(MethodWrapper)astp_basicsize. ButAtomMethodWrapperhas aCAtomPointer pointermember thatMethodWrapperdoes not:Currently both structs happen to be the same size (one
PyObject*vs oneCAtomPointerwhich contains aCAtom*), so this is accidentally benign. But it is clearly a copy-paste bug from theMethodWrapperspec, and if the structs ever diverge in size,PyType_GenericNewwould allocate too little memory andnew(&wrapper->pointer) CAtomPointer(...)atmethodwrapper.cpp:252would write past the allocated block — heap buffer overflow.Fix (
methodwrapper.cpp:213):PyType_Spec AtomMethodWrapper::TypeObject_Spec = { PACKAGE_TYPENAME( "AtomMethodWrapper" ), sizeof( AtomMethodWrapper ), // was sizeof( MethodWrapper ) 0, Py_TPFLAGS_DEFAULT, AtomMethodWrapper_Type_slots };Found by cext-review-toolkit.