[3.13] gh-144759: Fix undefined behavior from NULL pointer arithmetic in lexer (GH-144788) (#145355)

2026-04-14 15:50:50 +00:00 · 2026-02-28 13:49:37 +00:00 · 2026-02-28 13:49:37 +00:00 · 1a2b0fb3e5
commit 1a2b0fb3e5
parent 2daece9903
3 changed files with 24 additions and 4 deletions
--- a/Lib/test/test_repl.py
+++ b/Lib/test/test_repl.py
@ -143,6 +143,22 @@ def test_multiline_string_parsing(self):
        output = kill_python(p)
        self.assertEqual(p.returncode, 0)

+    @cpython_only
+    def test_lexer_buffer_realloc_with_null_start(self):
+        # gh-144759: NULL pointer arithmetic in the lexer when start and
+        # multi_line_start are NULL (uninitialized in tok_mode_stack[0])
+        # and the lexer buffer is reallocated while parsing long input.
+        long_value = "a" * 2000
+        user_input = dedent(f"""\
+        x = f'{{{long_value!r}}}'
+        print(x)
+        """)
+        p = spawn_repl()
+        p.stdin.write(user_input)
+        output = kill_python(p)
+        self.assertEqual(p.returncode, 0)
+        self.assertIn(long_value, output)
+
    def test_close_stdin(self):
        user_input = dedent('''
            import os
--- a/Builtins/2026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst
+++ b/Builtins/2026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst
@ -0,0 +1,4 @@
+Fix undefined behavior in the lexer when ``start`` and ``multi_line_start``
+pointers are ``NULL`` in ``_PyLexer_remember_fstring_buffers()`` and
+``_PyLexer_restore_fstring_buffers()``. The ``NULL`` pointer arithmetic
+(``NULL - valid_pointer``) is now guarded with explicit ``NULL`` checks.
--- a/Parser/lexer/buffer.c
+++ b/Parser/lexer/buffer.c
@ -13,8 +13,8 @@ _PyLexer_remember_fstring_buffers(struct tok_state *tok)

    for (index = tok->tok_mode_stack_index; index >= 0; --index) {
        mode = &(tok->tok_mode_stack[index]);
-        mode->f_string_start_offset = mode->f_string_start - tok->buf;
-        mode->f_string_multi_line_start_offset = mode->f_string_multi_line_start - tok->buf;
+        mode->f_string_start_offset = mode->f_string_start == NULL ? -1 : mode->f_string_start - tok->buf;
+        mode->f_string_multi_line_start_offset = mode->f_string_multi_line_start == NULL ? -1 : mode->f_string_multi_line_start - tok->buf;
    }
 }

@ -27,8 +27,8 @@ _PyLexer_restore_fstring_buffers(struct tok_state *tok)

    for (index = tok->tok_mode_stack_index; index >= 0; --index) {
        mode = &(tok->tok_mode_stack[index]);
-        mode->f_string_start = tok->buf + mode->f_string_start_offset;
-        mode->f_string_multi_line_start = tok->buf + mode->f_string_multi_line_start_offset;
+        mode->f_string_start = mode->f_string_start_offset < 0 ? NULL : tok->buf + mode->f_string_start_offset;
+        mode->f_string_multi_line_start = mode->f_string_multi_line_start_offset < 0 ? NULL : tok->buf + mode->f_string_multi_line_start_offset;
    }
 }