Skip to content

Out of bounds in traceback.c when alloca() is used over VLA #145792

New issue
New issue
Open
Open
Out of bounds in traceback.c when alloca() is used over VLA#145792
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump
@fuhsnn

Description

@fuhsnn
fuhsnn
opened on Mar 11, 2026

Bug report

Bug description:

cpython/Python/traceback.c

Lines 42 to 48 in ebb150e

#if defined(__STDC_NO_VLA__) && (__STDC_NO_VLA__ == 1)
/* Use alloca() for VLAs. */
# define VLA(type, name, size) type *name = alloca(size)
#elif !defined(__STDC_NO_VLA__) || (__STDC_NO_VLA__ == 0)
/* Use actual C VLAs.*/
# define VLA(type, name, size) type name[size]
#elif defined(CAN_C_BACKTRACE)

For the same size, VLA type[size] will allocate (sizeof(type) * size) but alloca(size) will only allocate (1 * size), which is significantly smaller than intended and will cause subsequent accesses of the allocation to be out of bounds, potentially corrupting the stack.

CPython versions tested on:

3.14

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions