Skip to content

Instantly share code, notes, and snippets.

@devdanzin

devdanzin/exceptiongroup_repr_oob.md

Created March 18, 2026 10:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save devdanzin/5624326e8ccc9632aa69ea7f930e310b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save devdanzin/5624326e8ccc9632aa69ea7f930e310b to your computer and use it in GitHub Desktop.
Download ZIP
exceptions.c: BaseExceptionGroup repr OOB access — segfault from 3 lines of Python
Raw
exceptiongroup_repr_oob.md

exceptions.c: BaseExceptionGroup repr OOB access — segfault from 3 lines of Python

CPython issue: python/cpython#146096

Summary

BaseExceptionGroup_repr in Objects/exceptions.c (line 1094) accesses PyTuple_GET_ITEM(self->args, 1) without checking that self->args has at least 2 elements. Since args is writable from Python via the args property setter (which accepts any tuple), setting it to an empty tuple causes an out-of-bounds read → segfault.

Fix

Guard the index-1 access with a size check:

if (PyTuple_GET_SIZE(self->args) >= 2 &&
    PyList_Check(PyTuple_GET_ITEM(self->args, 1))) {

Affected versions

CPython main branch (3.15.0a6). Likely affects all versions with ExceptionGroup (3.11+).

Reproducer

eg = ExceptionGroup("msg", [ValueError()])
eg.args = ()
repr(eg)  # SIGSEGV

Analysis

BaseExceptionGroup_repr at line 1094 unconditionally accesses index 1 of self->args. The args attribute is mutable — BaseException has a setter that accepts any tuple. The repr() function is called implicitly in many contexts (debugging, logging, tracebacks, f-strings), making the crash easily reachable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment