Skip to content

gh-151763: Fix NULL deref in os._path_normpath()#151779

Merged
StanFromIreland merged 4 commits into
python:mainfrom
zainnadeem786:fix/oom-investigation
Jun 24, 2026
Merged

gh-151763: Fix NULL deref in os._path_normpath()#151779
StanFromIreland merged 4 commits into
python:mainfrom
zainnadeem786:fix/oom-investigation

Conversation

@zainnadeem786

@zainnadeem786 zainnadeem786 commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR addresses OOM-0028 from gh-151763.

It fixes a NULL dereference in os__path_normpath_impl() when memory allocation fails while normalizing a bytes path.

Issue

os__path_normpath_impl() builds a Unicode result using either PyUnicode_FromOrdinal() or PyUnicode_FromWideChar().

For bytes input, the function then converts that Unicode result back to bytes using PyUnicode_EncodeFSDefault().

Before this change, the result of PyUnicode_FromWideChar() was not checked before the bytes-path encoding branch.

Under memory pressure, PyUnicode_FromWideChar() can return NULL with a pending MemoryError. The existing code could then pass that NULL value into PyUnicode_EncodeFSDefault(), causing a crash.

Fix

Add an explicit NULL check immediately after creating result and before the bytes-path encoding branch.

if (result == NULL) {
    return NULL;
}

This preserves the pending MemoryError and prevents PyUnicode_EncodeFSDefault() from receiving a NULL object.

Validation

I validated this using a CPython debug build on Windows:

PCbuild\build.bat -p x64 -c Debug

Then I used _testcapi.set_nomemory() to inject allocation failures while calling:

os.path.normpath(b"a\\..\\b\\c")

Before the fix

With the NULL guard removed, allocation index 2 crashed:

IDX 2 RC 3221225477

3221225477 is 0xC0000005, Windows STATUS_ACCESS_VIOLATION.

After the fix

With the NULL guard restored, the same allocation index returned a clean MemoryError instead of crashing:

IDX 2 RC 10 MEMORYERROR

This confirms that the failing OOM path now propagates the allocation failure instead of dereferencing NULL.

Tests

Focused ntpath tests passed:

PCbuild\amd64\python_d.exe -m unittest -v `
  test.test_ntpath.TestNtpath.test_normpath `
  test.test_ntpath.TestNtpath.test_normpath_invalid_paths `
  test.test_ntpath.NtCommonTest.test_normpath_issue5827 `
  test.test_ntpath.NtCommonTest.test_normpath_issue106242

Result:

Ran 4 tests in 0.009s
OK

I also checked the patch with:

git diff --check -- Modules/posixmodule.c

No regression test is included in this PR. The OOM reproducer depends on allocation-failure injection and allocation indexes that can be build-sensitive. The fix itself is a minimal local NULL guard.

Addresses OOM-0028 from gh-151763.

@bedevere-app

bedevere-app Bot commented Jun 20, 2026

Copy link
Copy Markdown

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@bedevere-app bedevere-app Bot mentioned this pull request Jun 20, 2026
Open
StanFromIreland
StanFromIreland reviewed Jun 20, 2026
View reviewed changes
Comment thread Misc/NEWS.d/next/Library/2026-06-20-15-18-46.gh-issue-151763.t-jCFF.rst Outdated
@StanFromIreland StanFromIreland changed the title gh-151763: Fix OOM-0028 NULL check in ntpath normpath gh-151763: Fix NULL deref in os._path_normpath() Jun 20, 2026
StanFromIreland
StanFromIreland reviewed Jun 24, 2026
View reviewed changes

@StanFromIreland StanFromIreland left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is correct.

Comment thread Misc/NEWS.d/next/Library/2026-06-20-15-18-46.gh-issue-151763.t-jCFF.rst Outdated
@bedevere-app

bedevere-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@StanFromIreland StanFromIreland merged commit ce8b81f into python:main Jun 24, 2026
57 checks passed
@StanFromIreland StanFromIreland added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes labels Jun 24, 2026
@miss-islington-app

miss-islington-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

Thanks @zainnadeem786 for the PR, and @StanFromIreland for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

@miss-islington-app

miss-islington-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

Thanks @zainnadeem786 for the PR, and @StanFromIreland for merging it 🌮🎉.. I'm working now to backport this PR to: 3.14.
🐍🍒⛏🤖

@miss-islington-app

miss-islington-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

Thanks @zainnadeem786 for the PR, and @StanFromIreland for merging it 🌮🎉.. I'm working now to backport this PR to: 3.15.
🐍🍒⛏🤖

@bedevere-app

bedevere-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

GH-152094 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Jun 24, 2026
@bedevere-app

bedevere-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

GH-152095 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Jun 24, 2026
@bedevere-app

bedevere-app Bot commented Jun 24, 2026

Copy link
Copy Markdown

GH-152096 is a backport of this pull request to the 3.15 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label Jun 24, 2026
@StanFromIreland

StanFromIreland commented Jun 24, 2026

Copy link
Copy Markdown
Member

Merged, thanks.

@zainnadeem786

zainnadeem786 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Thanks! @StanFromIreland I really appreciate your review and guidance throughout the process. It was great working with you, and I look forward to contributing more fixes and PRs in the future.

StanFromIreland pushed a commit that referenced this pull request Jun 24, 2026
@miss-islington @zainnadeem786
[3.13] gh-151763: Fix NULL dereference in os._path_normpath() under…
58476e8 
… OOM (GH-151779) (#152094)

(cherry picked from commit ce8b81f)

Co-authored-by: Zain Nadeem <zainnadeemzainnadeem80@gmail.com>
StanFromIreland pushed a commit that referenced this pull request Jun 24, 2026
@miss-islington @zainnadeem786
[3.14] gh-151763: Fix NULL dereference in os._path_normpath() under…
45de3e0 
… OOM (GH-151779) (#152095)

(cherry picked from commit ce8b81f)

Co-authored-by: Zain Nadeem <zainnadeemzainnadeem80@gmail.com>
StanFromIreland pushed a commit that referenced this pull request Jun 24, 2026
@miss-islington @zainnadeem786
[3.15] gh-151763: Fix NULL dereference in os._path_normpath() under…
4e7843e 
… OOM (GH-151779) (#152096)

(cherry picked from commit ce8b81f)

Co-authored-by: Zain Nadeem <zainnadeemzainnadeem80@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StanFromIreland StanFromIreland StanFromIreland approved these changes

Assignees

No one assigned

Labels

skip news

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zainnadeem786 @StanFromIreland