Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode().

Patch by Xiang Zhang.

2 files changed, 31 insertions, 9 deletions

diff --git a/Misc/NEWS b/Misc/NEWS
index c1d111c..4399985 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -42,6 +42,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #27963: Fixed possible null pointer dereference in
+  ctypes.set_conversion_mode().  Patch by Xiang Zhang.
+
 - Issue #28284: Strengthen resistance of ``_json.encode_basestring_ascii()`` to
   integer overflow.
 
diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c
index 419beb1..3a12eb6 100644
--- a/Modules/_ctypes/callproc.c
+++ b/Modules/_ctypes/callproc.c
@@ -1688,22 +1688,41 @@ between unicode and strings.  Returns the previous values.\n";
 static PyObject *
 set_conversion_mode(PyObject *self, PyObject *args)
 {
-    char *coding, *mode;
+    char *coding, *mode, *errors, *encoding=NULL;
     PyObject *result;
 
     if (!PyArg_ParseTuple(args, "zs:set_conversion_mode", &coding, &mode))
         return NULL;
-    result = Py_BuildValue("(zz)", _ctypes_conversion_encoding, _ctypes_conversion_errors);
+
+    result = Py_BuildValue("(zz)", _ctypes_conversion_encoding,
+                           _ctypes_conversion_errors);
+    if (!result) {
+        return NULL;
+    }
+
     if (coding) {
-        PyMem_Free(_ctypes_conversion_encoding);
-        _ctypes_conversion_encoding = PyMem_Malloc(strlen(coding) + 1);
-        strcpy(_ctypes_conversion_encoding, coding);
-    } else {
-        _ctypes_conversion_encoding = NULL;
+        encoding = PyMem_Malloc(strlen(coding) + 1);
+        if (!encoding) {
+            Py_DECREF(result);
+            return PyErr_NoMemory();
+        }
+        strcpy(encoding, coding);
+    }
+
+    errors = PyMem_Malloc(strlen(mode) + 1);
+    if (!errors) {
+        Py_DECREF(result);
+        PyMem_Free(encoding);
+        return PyErr_NoMemory();
     }
+    strcpy(errors, mode);
+
+    PyMem_Free(_ctypes_conversion_encoding);
+    _ctypes_conversion_encoding = encoding;
+
     PyMem_Free(_ctypes_conversion_errors);
-    _ctypes_conversion_errors = PyMem_Malloc(strlen(mode) + 1);
-    strcpy(_ctypes_conversion_errors, mode);
+    _ctypes_conversion_errors = errors;
+
     return result;
 }
 #endif