BUG: Stack buffer overflow in nditer_api/dtype_transfer in 1.24.x branch #22790
Description
Describe the issue:
Running core/tests/test_nditer under AddressSanitizer reveals a stack buffer overflow:
Here's a slightly redacted report from AddressSanitizer, from running that test from commit 1ad784dddbe181e23ada5acf919b54a67976e0dc:
SanitizerError
AddressSanitizer: stack-buffer-overflow [third_party/py/numpy/core/src/multiarray/dtype_transfer.c:2239]:33 in _strided_to_strided_field_transfer (.../bin/third_party/py/numpy/core/tests/test_nditer)
Details
=================================================================
==8282==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fbd6497c248 at pc 0x55c85285244e bp 0x7ffc378cd450 sp 0x7ffc378cd448
READ of size 8 at 0x7fbd6497c248 thread T0
#0 0x55c85285244d in _strided_to_strided_field_transfer [third_party/py/numpy/core/src/multiarray/dtype_transfer.c:2239](third_party/py/numpy/core/src/multiarray/dtype_transfer.c):33
#1 0x55c852898675 in npyiter_copy_from_buffers [third_party/py/numpy/core/src/multiarray/nditer_api.c:2068](third_party/py/numpy/core/src/multiarray/nditer_api.c):17
#2 0x55c8528a113e in NpyIter_Deallocate [third_party/py/numpy/core/src/multiarray/nditer_constr.c:687](third_party/py/numpy/core/src/multiarray/nditer_constr.c):17
#3 0x55c8528a7c12 in npyiter_dealloc [third_party/py/numpy/core/src/multiarray/nditer_pywrap.c:1160](third_party/py/numpy/core/src/multiarray/nditer_pywrap.c):14
#4 0x55c852809aae in array_dealloc [third_party/py/numpy/core/src/multiarray/arrayobject.c:451](third_party/py/numpy/core/src/multiarray/arrayobject.c):9
#5 0x55c85410770c in _Py_DECREF [third_party/python_runtime/v3_9/Include/object.h:447](third_party/python_runtime/v3_9/Include/object.h):9
#6 0x55c85410770c in frame_dealloc [third_party/python_runtime/v3_9/Objects/frameobject.c:585](third_party/python_runtime/v3_9/Objects/frameobject.c):9
#7 0x55c8540e8d11 in _Py_DECREF [third_party/python_runtime/v3_9/Include/object.h:447](third_party/python_runtime/v3_9/Include/object.h):9
#8 0x55c8540e8d11 in function_code_fastcall [third_party/python_runtime/v3_9/Objects/call.c:338](third_party/python_runtime/v3_9/Objects/call.c):9
#9 0x55c8541dc388 in do_call_core third_party/python_runtime/v3_9/Python/ceval.c
#10 0x55c8541dc388 in _PyEval_EvalFrameDefault [third_party/python_runtime/v3_9/Python/ceval.c:3582](third_party/python_runtime/v3_9/Python/ceval.c):22
...
Address 0x7fbd6497c248 is located in stack of thread T0 at offset 72 in frame
#0 0x55c85289814f in npyiter_copy_from_buffers [third_party/py/numpy/core/src/multiarray/nditer_api.c:1897]
This frame has 4 object(s):
[32, 40) 'transfersize' (line 1909)
[64, 72) 'buffer' (line 1915) <== Memory access at offset 72 overflows this variable
[96, 104) 'src_stride' (line 1952)
[128, 136) 'buf_stride' (line 2067)
It looks like _strided_to_strided_field_transfer expects args to have two entries:
numpy/numpy/core/src/multiarray/dtype_transfer.c
Line 2239 in 6205f3f
but it is passed a pointer to a single char * on the stack here:
numpy/numpy/core/src/multiarray/nditer_api.c
Line 2070 in 6205f3f
Reproduce the code example:
Run the `test_nditer` test under AddressSanitizer.Error message:
See above.NumPy/Python version information:
Commit 1ad784d from the maintenance/1.24.x branch, under Python 3.9 on Linux.
Context for the issue:
No response