Re: plpython: NULL pointer dereference on broken sequence objects

Hi,

On Thu, 25 Jun 2026 at 14:19, Richard Guo <guofenglinux(at)gmail(dot)com> wrote:

> While looking into the recent plperl NULL pointer dereference issue,
> which ended up as 4015abe14, I found a similar issue in plpython, with
> the help of an LLM tool (Claude 4.8).
>
> There are 6 callers of PySequence_GetItem() in plpython, and none of
> them checks the returned result before using it. PySequence_GetItem()
> can return NULL whenever an element cannot be fetched, so an object
> that claims a length it cannot actually deliver is enough to crash the
> backend.
>
> For example:
>
> CREATE FUNCTION test() RETURNS int[] AS $$
> class C:
> def __len__(self):
> return 2
> def __getitem__(self, i):
> raise ValueError('boom')
> return C()
> $$ LANGUAGE plpython3u;
>
> SELECT test(); -- crashes
>
>
> The attached patch checks the result of PySequence_GetItem() in each
> place and errors out if it is NULL.
>

Thanks for the patch and detailed repro.

I applied the patch and it works well, changes too, LGTM.

I think there's a similar problem on the mapping side that v1 doesn't
cover. PLyMapping_ToJsonbValue and the hstore equivalent fetch items with
PyMapping_Items() and PyList_GetItem() without checking for NULL, and a
mapping whose items() raises still would crash the backend.

Regards,
Ayush