Skip to content

gh-151763: Fix NULL deref in os._path_normpath()#151779

Open
zainnadeem786 wants to merge 3 commits into
python:mainfrom
zainnadeem786:fix/oom-investigation
Open

gh-151763: Fix NULL deref in os._path_normpath()#151779
zainnadeem786 wants to merge 3 commits into
python:mainfrom
zainnadeem786:fix/oom-investigation

Conversation

@zainnadeem786

@zainnadeem786 zainnadeem786 commented Jun 20, 2026

Copy link
Copy Markdown

Summary

This PR addresses OOM-0028 from gh-151763.

It fixes a NULL dereference in os__path_normpath_impl() when memory allocation fails while normalizing a bytes path.

Issue

os__path_normpath_impl() builds a Unicode result using either PyUnicode_FromOrdinal() or PyUnicode_FromWideChar().

For bytes input, the function then converts that Unicode result back to bytes using PyUnicode_EncodeFSDefault().

Before this change, the result of PyUnicode_FromWideChar() was not checked before the bytes-path encoding branch.

Under memory pressure, PyUnicode_FromWideChar() can return NULL with a pending MemoryError. The existing code could then pass that NULL value into PyUnicode_EncodeFSDefault(), causing a crash.

Fix

Add an explicit NULL check immediately after creating result and before the bytes-path encoding branch.

if (result == NULL) {
    return NULL;
}

This preserves the pending MemoryError and prevents PyUnicode_EncodeFSDefault() from receiving a NULL object.

Validation

I validated this using a CPython debug build on Windows:

PCbuild\build.bat -p x64 -c Debug

Then I used _testcapi.set_nomemory() to inject allocation failures while calling:

os.path.normpath(b"a\\..\\b\\c")

Before the fix

With the NULL guard removed, allocation index 2 crashed:

IDX 2 RC 3221225477

3221225477 is 0xC0000005, Windows STATUS_ACCESS_VIOLATION.

After the fix

With the NULL guard restored, the same allocation index returned a clean MemoryError instead of crashing:

IDX 2 RC 10 MEMORYERROR

This confirms that the failing OOM path now propagates the allocation failure instead of dereferencing NULL.

Tests

Focused ntpath tests passed:

PCbuild\amd64\python_d.exe -m unittest -v `
  test.test_ntpath.TestNtpath.test_normpath `
  test.test_ntpath.TestNtpath.test_normpath_invalid_paths `
  test.test_ntpath.NtCommonTest.test_normpath_issue5827 `
  test.test_ntpath.NtCommonTest.test_normpath_issue106242

Result:

Ran 4 tests in 0.009s
OK

I also checked the patch with:

git diff --check -- Modules/posixmodule.c

No regression test is included in this PR. The OOM reproducer depends on allocation-failure injection and allocation indexes that can be build-sensitive. The fix itself is a minimal local NULL guard.

Addresses OOM-0028 from gh-151763.

@bedevere-app

bedevere-app Bot commented Jun 20, 2026

Copy link
Copy Markdown

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@bedevere-app bedevere-app Bot mentioned this pull request Jun 20, 2026
Open
@StanFromIreland StanFromIreland changed the title gh-151763: Fix OOM-0028 NULL check in ntpath normpath gh-151763: Fix NULL deref in os._path_normpath() Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StanFromIreland StanFromIreland Awaiting requested review from StanFromIreland

Assignees

No one assigned

Labels

awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zainnadeem786 @StanFromIreland