8000 BUG: Invalid read of size 4 in PyArray_FromFile · numpy/numpy@f14ad75 · GitHub
[go: up one dir, main page]
Skip to content

Commit f14ad75

Browse files
rainwoodmancharris
rainwoodman
authored and
charris
committed
BUG: Invalid read of size 4 in PyArray_FromFile
When the input dtype has a subarray, the dtype is DECREFed by PyArray_NewFromDescr, before dtype->elsize is accessed. If no one else holds a reference to the dtype object, then the dtype object will be destroyed, and dtype->elsize shall not be accessed. This raises an error in Valgrind, and occasionally crashes innocently looking code. e.g. ```numpy.fromfile('filename', dtype=('f8', 3'))``` This affects versions as early as 1.9.2 (where I found this bug) and seems to be still relevant today. Closes #7756.
1 parent 4ccf3d7 commit f14ad75

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

numpy/core/src/multiarray/ctors.c

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3260,17 +3260,20 @@ array_fromfile_binary(FILE *fp, PyArray_Descr *dtype, npy_intp num, size_t *nrea
32603260
}
32613261
num = numbytes / dtype->elsize;
32623262
}
3263+
Py_INCREF(dtype);
32633264
r = (PyArrayObject *)PyArray_NewFromDescr(&PyArray_Type,
32643265
dtype,
32653266
1, &num,
32663267
NULL, NULL,
32673268
0, NULL);
32683269
if (r == NULL) {
3269-
return NULL;
3270+
goto fail;
32703271
}
32713272
NPY_BEGIN_ALLOW_THREADS;
32723273
*nread = fread(PyArray_DATA(r), dtype->elsize, num, fp);
32733274
NPY_END_ALLOW_THREADS;
3275+
fail:
3276+
Py_DECREF(dtype);
32743277
return r;
32753278
}
32763279

@@ -3293,13 +3296,16 @@ array_from_text(PyArray_Descr *dtype, npy_intp num, char *sep, size_t *nread,
32933296
npy_intp bytes, totalbytes;
32943297

32953298
size = (num >= 0) ? num : FROM_BUFFER_SIZE;
3299+
3300+
Py_INCREF(dtype);
32963301
r = (PyArrayObject *)
32973302
PyArray_NewFromDescr(&PyArray_Type,
32983303
dtype,
32993304
1, &size,
33003305
NULL, NULL,
33013306
0, NULL);
33023307
if (r == NULL) {
3308+
Py_DECREF(dtype);
33033309
return NULL;
33043310
}
33053311
clean_sep = swab_separator(sep);
@@ -3348,6 +3354,7 @@ array_from_text(PyArray_Descr *dtype, npy_intp num, char *sep, size_t *nread,
33483354
free(clean_sep);
33493355

33503356
fail:
3357+
Py_DECREF(dtype);
33513358
if (err == 1) {
33523359
PyErr_NoMemory();
33533360
}

0 commit comments

Comments
 (0)
0