Closed
Description
Argument Clinic str_converter generate such code when encoding is set
(see function test_str_converter_encoding in file Lib/test/clinic.test):
/* -- snip -- */
if (!_PyArg_ParseStack(args, nargs, "esesetes#et#:test_str_converter_encoding",
"idna", &a, "idna", &b, "idna", &c, "idna", &d, &d_length, "idna", &e, &e_length)) {
goto exit;
}
return_value = test_str_converter_encoding_impl(module, a, b, c, d, d_length, e, e_length);
exit:
/* Cleanup for a */
if (a) {
PyMem_FREE(a);
}
/* Cleanup for b */
if (b) {
PyMem_FREE(b);
}
/* Cleanup for c */
if (c) {
PyMem_FREE(c);
}
/* -- snip -- */If parsing a successes, a will be assigned an address points to an allocated memory.
After that, if parsing b fails, the memory which a points to is freed by function _PyArg_ParseStack,
and _PyArg_ParseStack returns 0, then control flow goes to label "exit".
At this time, a is not NULL, so the memory it points to is freed again, which cause a double-free problem and a runtime crash.
This bug is found in #96178 "Argument Clinic functional test".