Hi, I had reported this to Python a while ago. I'm attaching my original report below.
--------------------
I stumbled upon a segfault in python that turned out to be a use after
free error. As UAF bugs can lead to memory corruption and potentially
security issues, and as this issue is triggered by input to a very
common function (encode()), reporting this as a security issue, as it
may have larger security implications.
A testcase is attached. The zip attached contains a script
"crashme", which will just read the content of a file as binary data
and then run decode("unicode_escape", errors="ignore") on it
(errors="replace" causes the same issue).
With the sample file large.txt, this segfaults python for me:
./crashme large.txt
Segmentation fault
small.txt is a reduced testcase that will not lead to a crash, but with
a python build with Address Sanitizer/ASAN, it will still show a use
after free.
The ASAN error, showing a use after free read in
_PyUnicode_DecodeUnicodeEscapeStateful, is in asan-error.txt.
--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
<<attachment: pyuaf.zip>>
