Crash report
What happened?
It's possible to abort the interpreter by calling StringIO.__setstate__ with a non-string initial_value:
python -c "from io import StringIO; StringIO().__setstate__((None, '', 0, {}))"
python: Objects/unicodeobject.c:2542: as_ucs4: Assertion `PyUnicode_Check(string)' failed.
Aborted (core dumped)Interestingly, on a non-debug build passing an int as initial_value gives an error message saying that None should be a valid value:
python -c "from io import StringIO; StringIO().__setstate__((1, '', 0, {}))"
Traceback (most recent call last):
File "<string>", line 1, in <module>
from io import StringIO; StringIO().__setstate__((1, '', 0, {}))
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
TypeError: initial_value must be str or None, not intFound using fusil by @vstinner.
CPython versions tested on:
3.13, 3.14, CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.14.0a2+ (heads/main:0af4ec3, Nov 20 2024, 21:45:19) [GCC 13.2.0]
Linked PRs
Crash report
What happened?
It's possible to abort the interpreter by calling
StringIO.__setstate__with a non-stringinitial_value:Interestingly, on a non-debug build passing an int as
initial_valuegives an error message saying thatNoneshould be a valid value:Found using fusil by @vstinner.
CPython versions tested on:
3.13, 3.14, CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.14.0a2+ (heads/main:0af4ec3, Nov 20 2024, 21:45:19) [GCC 13.2.0]
Linked PRs
io.StringIO.__setstate__crash whenNoneis the first value #127219io.StringIO.__setstate__crash whenNoneis the first value (GH-127219) #127262io.StringIO.__setstate__crash whenNoneis the first value (GH-127219) #127263