Skip to content

gh-143005: prevent incompatible __class__ reassignment for ctypes arrays #143907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
VanshAgarwal24036 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

gh-143005: prevent incompatible __class__ reassignment for ctypes arrays #143907

VanshAgarwal24036 wants to merge 7 commits into from
+113 −0

Conversation

@VanshAgarwal24036
Copy link
Contributor

@VanshAgarwal24036 VanshAgarwal24036 commented Jan 16, 2026
edited by bedevere-app bot
Loading

This PR fixes a heap buffer overflow in ctypes arrays caused by assigning
class to an incompatible array type.

The change rejects class reassignment when the new array type differs
in length, size, or element type, preventing out-of-bounds memory access.
A regression test is included.

@bedevere-app bedevere-app bot mentioned this pull request Jan 16, 2026
Open
@VanshAgarwal24036 VanshAgarwal24036 force-pushed the gh-143005-ctypes-class-safety branch from 59929a5 to d17521c Compare January 16, 2026 14:02
@VanshAgarwal24036
Copy link
Contributor Author

VanshAgarwal24036 commented Jan 20, 2026

@serhiy-storchaka
I’ve opened a PR fixing the ctypes array class reassignment issue discussed here.
CI is green now; no rush, just sharing in case you have time to take a look.

serhiy-storchaka
serhiy-storchaka reviewed Jan 20, 2026
View reviewed changes
Copy link
Member

@serhiy-storchaka serhiy-storchaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your PR, @VanshAgarwal24036. I did not know what to do with this issue. It seems that adding check in tp_setattro is the way to go. But I suspect we need more tests -- each condition should be covered by alternate tests,

@picnixz
Copy link
Member

picnixz commented Jan 20, 2026

What if we simply expose __class__ as a getset? isn't it possible?

@serhiy-storchaka
Copy link
Member

serhiy-storchaka commented Jan 20, 2026
edited
Loading

There are problems with such special names. If we expose __class__ as a getset, then c_long.__class__ will be not a type of c_long (the same as type(c_long)), but a descriptor. This will confuse much code.

@picnixz
Copy link
Member

picnixz commented Jan 20, 2026

Arf yes you are right. It just feels to me that it is an overkill but I do not think we have a better alternative, do we?

@VanshAgarwal24036
Copy link
Contributor Author

VanshAgarwal24036 commented Jan 21, 2026

Thanks for the discussion

I agree exposing __class__ as getset would be problematic since it would turn
type(obj).__class__ into descriptor and break expectations.

Given that validating reassignment in tp_setattro seems like least disruptive
approach. I will follow up with additional tests to cover the remaining edge cases
(abstract targets, non-array targets, zero-length arrays, etc.) if you suggest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@serhiy-storchaka serhiy-storchaka Awaiting requested review from serhiy-storchaka

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VanshAgarwal24036 @picnixz @serhiy-storchaka