BUG: Fix dtype use-after-free bug in FromString

author: Sebastian Berg <sebastian@sipsolutions.net> 2019-10-08 10:07:09 -0700
committer: Sebastian Berg <sebastian@sipsolutions.net> 2019-10-08 10:07:09 -0700
commit: 0927f7bda1396007b8168192a1d181b0a34af89d (patch)
tree: 48d4f5ef09f15f5afd47befd20f3d32bf7469226
parent: ffb381aa18e93d30099bb97cf58435dd51d88bfa (diff)
download: numpy-0927f7bda1396007b8168192a1d181b0a34af89d.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/numpy/core/src/multiarray/ctors.c b/numpy/core/src/multiarray/ctors.c
index 77ee3efdd..5174bd889 100644
--- a/numpy/core/src/multiarray/ctors.c
+++ b/numpy/core/src/multiarray/ctors.c
@@ -3999,6 +3999,11 @@ PyArray_FromString(char *data, npy_intp slen, PyArray_Descr *dtype,
                 return NULL;
             }
         }
+        /*
+         * NewFromDescr may replace dtype to absorb subarray shape
+         * into the array, so get size beforehand.
+         */
+        npy_intp size_to_copy = num*dtype->elsize;
         ret = (PyArrayObject *)
             PyArray_NewFromDescr(&PyArray_Type, dtype,
                                  1, &num, NULL, NULL,
@@ -4006,7 +4011,7 @@ PyArray_FromString(char *data, npy_intp slen, PyArray_Descr *dtype,
         if (ret == NULL) {
             return NULL;
         }
-        memcpy(PyArray_DATA(ret), data, num*dtype->elsize);
+        memcpy(PyArray_DATA(ret), data, size_to_copy);
     }
     else {
         /* read from character-based string */
author	Sebastian Berg <sebastian@sipsolutions.net>	2019-10-08 10:07:09 -0700
committer	Sebastian Berg <sebastian@sipsolutions.net>	2019-10-08 10:07:09 -0700
commit	0927f7bda1396007b8168192a1d181b0a34af89d (patch)
tree	48d4f5ef09f15f5afd47befd20f3d32bf7469226
parent	ffb381aa18e93d30099bb97cf58435dd51d88bfa (diff)
download	numpy-0927f7bda1396007b8168192a1d181b0a34af89d.tar.gz