Skip to content

oss-fuzz-451112368: fix found crash#144807

Open
AdamKorcz wants to merge 2 commits intopython:mainfrom
AdamKorcz:oss-fuzz-fix-1
Open

oss-fuzz-451112368: fix found crash#144807
AdamKorcz wants to merge 2 commits intopython:mainfrom
AdamKorcz:oss-fuzz-fix-1

Conversation

@AdamKorcz
Copy link

@AdamKorcz AdamKorcz commented Feb 13, 2026

oss-fuzz-451112368: fix found crash
d30f29a 
Signed-off-by: Adam <adam@Adam-Workstation.lan>
@bedevere-app
Copy link

bedevere-app bot commented Feb 13, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

standaell1234-maker

This comment was marked as spam.

Sign in to view

@ammaraskar
Copy link
Member

ammaraskar commented Feb 13, 2026

Thanks for the contribution! Would you mind adding a regression test for this in https://github.com/python/cpython/blob/main/Lib/test/test_tokenize.py

@gpshead gpshead self-assigned this Feb 14, 2026
@gpshead @claude
Add a regression test for oss-fuzz-451112368
e9b3683 
Add a test covering truncated multi-byte UTF-8 sequences at end of input.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@bedevere-app
Copy link

bedevere-app bot commented Feb 14, 2026

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@gpshead
Copy link
Member

gpshead commented Feb 14, 2026

I added a test.

(discussed with PSRT) We're not considering this a security issue, compile() is not safe against untrusted input (nor are the other paths that are actually executing code rather than just compiling it). It can read a couple bytes past the end of the input bytes at most. at worst a crash (ASAN in particular which I believe is how oss-fuzz found it), you'd likely get a SyntaxError as intended otherwise.

@gpshead
Copy link
Member

gpshead commented Feb 14, 2026

We do like to have issues filed to track things - read up on https://devguide.python.org/getting-started/pull-request-lifecycle/#pullrequest
As I believe you're intending to fix up a bunch of fuzzer found items, consider making a tracking issue for similar themes of those "parser crashes" or similar for this one for example - we don't need one issue per item when they aren't actually security related.

while you're working on already public oss-fuzz findings, as they are public it is fine to go ahead and make public PRs.

But if you come across any that seem actually security relevant, please reach out via email to the to PSRT, or since you're producing fix PRs maybe just use https://github.com/python/cpython/security to drop those in GHSA's for us to look over (many will probably be things we just open directly to the public as a non-concern "more of a bug" like this one)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pablogsal pablogsal Awaiting requested review from pablogsal pablogsal is a code owner

@lysnikolaou lysnikolaou Awaiting requested review from lysnikolaou lysnikolaou is a code owner

1 more reviewer

@standaell1234-maker standaell1234-maker standaell1234-maker left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@gpshead gpshead

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AdamKorcz @ammaraskar @gpshead @standaell1234-maker