Skip to content

gh-143005: prevent incompatible __class__ reassignment for ctypes arrays #143907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
VanshAgarwal24036 wants to merge 12 commits into
base: main
Choose a base branch
from
Open

gh-143005: prevent incompatible __class__ reassignment for ctypes arrays #143907

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d17521c
gh-143005: prevent incompatible __class__ reassignment for ctypes arrays
VanshAgarwal24036 Jan 16, 2026
670c7a1
gh-143005: trim trailing whitespace
VanshAgarwal24036 Jan 16, 2026
32fac41
News added
VanshAgarwal24036 Jan 17, 2026
abfe97e
Merge branch 'main' into gh-143005-ctypes-class-safety
VanshAgarwal24036 Jan 17, 2026
56903c5
gh-143005: disallow incompatible __class__ reassignment for ctypes ar…
VanshAgarwal24036 Jan 20, 2026
5bb9dfb
gh-143005: fix ctypes array __class__ reassignment tests
VanshAgarwal24036 Jan 20, 2026
8abda12
gh-143005: apply prek fixes
VanshAgarwal24036 Jan 20, 2026
4dc1890
Added all test cases
VanshAgarwal24036 Feb 12, 2026
1ed8361
Added all test cases
VanshAgarwal24036 Feb 12, 2026
d784203
Error Fixed
VanshAgarwal24036 Feb 13, 2026
ab67884
Lint Fixed
VanshAgarwal24036 Feb 13, 2026
ff24e32
Merge branch 'main' into gh-143005-ctypes-class-safety
serhiy-storchaka May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions Lib/test/test_ctypes/test_arrays.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,103 @@ def test_simple(self):
with self.assertRaises(TypeError):
del ca[0]

def test_ctypes_array_class_assignment_incompatible(self):
Comment thread
VanshAgarwal24036 marked this conversation as resolved.
A = c_long * 3
B = c_long * 5
x = A(1, 2, 3)

with self.assertRaises(TypeError):
x.__class__ = B

def test_ctypes_array_class_assignment_incompatible_target(self):
A = c_int * 3
class OtherArray(Array):
_type_ = c_int
_length_ = 4 # incompatible length

a = A()

with self.assertRaises(TypeError):
a.__class__ = OtherArray


def test_ctypes_array_class_assignment_zero_length(self):
A = c_long * 0
B = c_long * 1
a = A()

with self.assertRaises(TypeError):
a.__class__ = B

def test_ctypes_array_class_assignment_incompatible_element_type(self):
A = c_int * 3
B = c_double * 3
Comment on lines +135 to +136
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c_int and c_double most likely have different size. We need to test different types with the same size. I suggest to unite multiple tests in the same method and use a loop with an array of type pairs:

for A, B in [
    (c_int * 3, c_double * 3),
    (c_long * 3, c_double * 3),
    (c_longlong * 3, c_double * 3),
    ...
]:
    with self.subTest(A=A, B=B):
        a = A()
        with self.assertRaises(TypeError):
            a.__class__ = B

You can also use test.support.subTests.

a = A()

with self.assertRaises(TypeError):
a.__class__ = B

def test_ctypes_array_class_assignment_signed_unsigned(self):
A = c_long * 3
B = c_ulonglong * 3
Comment on lines +143 to +144
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c_long and c_ulonglong can also have different size. Should not we test c_long with c_longlong.

a = A()

with self.assertRaises(TypeError):
a.__class__ = B

def test_ctypes_array_class_assignment_compatible(self):
A = c_int * 3
class SameArray(Array):
_type_ = c_int
_length_ = 3
a = A(1, 2, 3)
a.__class__ = SameArray

def test_ctypes_array_class_assignment_non_ctypes_target(self):
A = c_int * 3
a = A()
class Dummy:
pass

with self.assertRaises(TypeError):
a.__class__ = Dummy

def test_ctypes_array_class_assignment_abstract_target(self):
A = c_int * 3
a = A()
AbstractArray = PyCArrayType.__new__(PyCArrayType, "AbstractArray", (Array,), {})

with self.assertRaises(TypeError):
a.__class__ = AbstractArray

def test_ctypes_array_class_assignment_same_size_ints(self):
if sizeof(c_int) != sizeof(c_long):
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If sizeof(c_int) != sizeof(c_long), try other pair, for example c_long and c_longlong.

self.skipTest("sizes differ on this platform")
A = c_int * 3
B = c_long * 3
a = A(1, 2, 3)
a.__class__ = B

def test_ctypes_array_class_assignment_structs(self):
class S1(Structure):
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it work for different structs with the same definition?

_fields_ = [("x", c_int)]
A = S1 * 2
B = S1 * 2
a = A()
a.__class__ = B

def test_ctypes_array_class_assignment_pointer_arrays(self):
from ctypes import POINTER
A = POINTER(c_int) * 2
B = POINTER(c_int) * 2
a = A()
a.__class__ = B

def test_ctypes_array_from_param_incompatible(self):
A = c_int * 3
with self.assertRaises(TypeError):
A.from_param(object())

def test_step_overflow(self):
a = (c_int * 5)()
a[3::sys.maxsize] = (1,)
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2026-01-17-16-35-57.gh-issue-143005.WKf6GL.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix a memory safety issue in ctypes arrays by rejecting ``__class__``
assignment to incompatible array types.
72 changes: 72 additions & 0 deletions Modules/_ctypes/_ctypes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1084,6 +1084,28 @@ CDataType_from_param_impl(PyObject *type, PyTypeObject *cls, PyObject *value)
return Py_NewRef(value);
}
ctypes_state *st = get_module_state_by_class(cls);

/* Disallow incompatible ctypes array __class__ reassignment */
Comment thread
VanshAgarwal24036 marked this conversation as resolved.
StgInfo *old_info = NULL;
StgInfo *new_info = NULL;
if (PyStgInfo_FromObject(st, value, &old_info) == 0 &&
Comment thread
VanshAgarwal24036 marked this conversation as resolved.
PyStgInfo_FromType(st, type, &new_info) == 0 &&
old_info != NULL &&
new_info != NULL &&
Comment thread
VanshAgarwal24036 marked this conversation as resolved.
old_info->length >= 0 &&
new_info->length >= 0)
{
if (old_info->length != new_info->length ||
old_info->size != new_info->size ||
old_info->proto != new_info->proto)
{
PyErr_SetString(
PyExc_TypeError,
"cannot assign incompatible ctypes array type"
);
return NULL;
}
}
if (PyCArg_CheckExact(st, value)) {
PyCArgObject *p = (PyCArgObject *)value;
PyObject *ob = p->obj;
Expand Down Expand Up @@ -5011,6 +5033,55 @@ Array_init(PyObject *self, PyObject *args, PyObject *kw)
return 0;
}

static int
PyCArray_setattro(PyObject *self, PyObject *key, PyObject *value)
{
if (PyUnicode_Check(key) &&
_PyUnicode_EqualToASCIIString(key, "__class__"))
{
ctypes_state *st = get_module_state_by_def(Py_TYPE(Py_TYPE(self)));
StgInfo *old_info = NULL;
StgInfo *new_info = NULL;

if (PyStgInfo_FromObject(st, self, &old_info) < 0) {
return -1;
}
if (PyStgInfo_FromType(st, value, &new_info) < 0) {
return -1;
}

/* If one side has no storage info, disallow */
if (old_info == NULL || new_info == NULL) {
PyErr_SetString(
PyExc_TypeError,
"cannot assign incompatible ctypes array type"
);
return -1;
}

/* Only care about array to array */
if (old_info->length < 0 || new_info->length < 0) {
PyErr_SetString(
PyExc_TypeError,
"cannot assign incompatible ctypes array type");
return -1;
}

/* Must match layout */
if (old_info->length != new_info->length ||
old_info->size != new_info->size ||
old_info->proto != new_info->proto)
{
PyErr_SetString(
PyExc_TypeError,
"cannot assign incompatible ctypes array type");
return -1;
}
}

return PyObject_GenericSetAttr(self, key, value);
}

static PyObject *
Array_item_lock_held(PyObject *myself, Py_ssize_t index)
{
Expand Down Expand Up @@ -5329,6 +5400,7 @@ static PyType_Slot pycarray_slots[] = {
{Py_mp_length, Array_length},
{Py_mp_subscript, Array_subscript},
{Py_mp_ass_subscript, Array_ass_subscript},
{Py_tp_setattro, PyCArray_setattro},
{0, NULL},
};

Expand Down
Loading