Skip to content

gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it #143561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vstinner merged 25 commits into from
Jan 12, 2026
Merged

gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it #143561

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
9477824
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 8, 2026
946aee3
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 8, 2026
55b4850
gh-143544: Add regression test for re-entrant JSONDecodeError
VanshAgarwal24036 Jan 8, 2026
1940b1e
gh-143544: Add NEWS entry
VanshAgarwal24036 Jan 8, 2026
ed2c55c
gh-143544: Fix trailing whitespace in test
VanshAgarwal24036 Jan 8, 2026
099fc4f
gh-143544: Adjust regression test to allow SystemError
VanshAgarwal24036 Jan 8, 2026
b238345
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 9, 2026
fa69d1e
gh-143544: Move json import to module level in regression test
VanshAgarwal24036 Jan 9, 2026
39767c6
gh-143544: Remove unnecessary comment
VanshAgarwal24036 Jan 9, 2026
b500563
gh-143544: Fix reference lifetime in raise_errmsg
VanshAgarwal24036 Jan 9, 2026
5841c2c
Update Lib/test/test_json/test_fail.py
VanshAgarwal24036 Jan 9, 2026
c397e8e
gh-143544: Remove unnecessary json import from regression test
VanshAgarwal24036 Jan 9, 2026
10c61c4
gh-143544: Use support.swap_attr in re-entrant JSONDecodeError test
VanshAgarwal24036 Jan 9, 2026
4a7f323
gh-143544: Fix use-after-free in _json.raise_errmsg
VanshAgarwal24036 Jan 9, 2026
0b38b8e
Update Lib/test/test_json/test_fail.py
VanshAgarwal24036 Jan 9, 2026
0593e2f
Update Lib/test/test_json/test_fail.py
VanshAgarwal24036 Jan 9, 2026
b485677
gh-143544: Tighten regression test exception assertion
VanshAgarwal24036 Jan 9, 2026
bbc357d
gh-143544: Fix re-entrant JSONDecodeError regression test
VanshAgarwal24036 Jan 9, 2026
765ffb2
test_json: add regression test for re-entrant JSONDecodeError crash
VanshAgarwal24036 Jan 9, 2026
b745fed
test_json: added Comment
VanshAgarwal24036 Jan 9, 2026
0a03442
test_json: assert TypeError for invalid JSONDecodeError replacement
VanshAgarwal24036 Jan 10, 2026
4257cdc
test_json: document and assert refcount for reentrant JSONDecodeError…
VanshAgarwal24036 Jan 10, 2026
74cfaed
test_json: fix reentrant JSONDecodeError test
VanshAgarwal24036 Jan 10, 2026
211cb30
test_json: fix re-entrant JSONDecodeError test
VanshAgarwal24036 Jan 10, 2026
a2e23bc
gh-143544: Revert test_json regression test changes
VanshAgarwal24036 Jan 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions Lib/test/test_json/test_fail.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,5 +236,33 @@ def test_linecol(self):
'Expecting value: line %s column %d (char %d)' %
(line, col, idx))

def test_reentrant_jsondecodeerror_does_not_crash(self):
# gh-143544
import json
Copy link
Copy Markdown
Member

@vstinner vstinner Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move this import at the module top level.

Copy link
Copy Markdown
Contributor Author

@VanshAgarwal24036 VanshAgarwal24036 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved import json to the module top level as requested. Thanks.


orig_json_error = json.JSONDecodeError
orig_decoder_error = json.decoder.JSONDecodeError
Comment thread
VanshAgarwal24036 marked this conversation as resolved.
Outdated

class Trigger:
def __call__(self, *args):
Comment thread
VanshAgarwal24036 marked this conversation as resolved.
Outdated
# Remove JSONDecodeError during construction to trigger re-entrancy
del json.JSONDecodeError
del json.decoder.JSONDecodeError
return ValueError("boom")
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for the case, call test.support.gc_collect() .


hook = Trigger()
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hook must be a subclass of BaseException, otherwise PyErr_SetObject() will raise a SystemError.

class hook(Exception):
    def __new__(...):
        # ...

And now calling gc_collect() is a necessity, because class creates a reference loop.

try:
json.JSONDecodeError = hook
json.decoder.JSONDecodeError = hook

# The exact exception type is not important here;
# this test only ensures we don't crash.
with self.assertRaises(Exception):
Copy link
Copy Markdown
Member

@picnixz picnixz Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check the exact exception.

Copy link
Copy Markdown
Contributor Author

@VanshAgarwal24036 VanshAgarwal24036 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point — agreed. I’ll update the test to assert the exact expected exception (JSONDecodeError) instead of a generic Exception, so the regression is checked more precisely.

json.loads('"\\uZZZZ"')

Comment thread
VanshAgarwal24036 marked this conversation as resolved.
Outdated
finally:
json.JSONDecodeError = orig_json_error
json.decoder.JSONDecodeError = orig_decoder_error

Comment thread
VanshAgarwal24036 marked this conversation as resolved.
Outdated
class TestPyFail(TestFail, PyTest): pass
class TestCFail(TestFail, CTest): pass
11 changes: 6 additions & 5 deletions Modules/_json.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -415,19 +415,20 @@ raise_errmsg(const char *msg, PyObject *s, Py_ssize_t end)
{
/* Use JSONDecodeError exception to raise a nice looking ValueError subclass */
Comment thread
ZeroIntensity marked this conversation as resolved.
_Py_DECLARE_STR(json_decoder, "json.decoder");

Copy link
Copy Markdown
Member

@picnixz picnixz Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an unrelated change.

PyObject *JSONDecodeError =
PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError));
PyImport_ImportModuleAttr(&_Py_STR(json_decoder), &_Py_ID(JSONDecodeError));
Copy link
Copy Markdown
Member

@ZeroIntensity ZeroIntensity Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again please don't make unrelated formatting changes.

Copy link
Copy Markdown
Member

@vstinner vstinner Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert this change.

if (JSONDecodeError == NULL) {
return;
}

PyObject *exc;
exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end);
Py_DECREF(JSONDecodeError);
if (exc) {
PyObject *exc = PyObject_CallFunction(JSONDecodeError, "zOn", msg, s, end);
Copy link
Copy Markdown
Member

@picnixz picnixz Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also an unrelated change.

if (exc != NULL) {
Copy link
Copy Markdown
Member

@ZeroIntensity ZeroIntensity Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. The only change we need is the movement of the Py_DECREF call.

Copy link
Copy Markdown
Member

@vstinner vstinner Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert this change, only move Py_DECREF(JSONDecodeError);.

PyErr_SetObject(JSONDecodeError, exc);
Py_DECREF(exc);
}

Py_DECREF(JSONDecodeError);
}

static void
Expand Down
Loading