Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python interpreter crashes with realloc(): invalid next size #118990

Closed
christian-heusel opened this issue May 13, 2024 · 10 comments
Closed

Python interpreter crashes with realloc(): invalid next size #118990

christian-heusel opened this issue May 13, 2024 · 10 comments
Labels
type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@christian-heusel
Copy link

christian-heusel commented May 13, 2024
edited

Crash report

What happened?

This is a follow-up on another bug report to the diffoscope program, after we have concluded that its is not the program but the interpreter that crashes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371
The other bug report also has some background information and stacktraces that occur with the original diffoscope issue.

The following snippet (with a.pyc) seems to crash the python interpreter for me (on exit):

from diffoscope.comparators.python import parse_pyc
len(list(parse_pyc(open("a.pyc", "rb"))))

Here is the terminal output in full:

Python 3.12.3 (main, Apr 23 2024, 09:16:07) [GCC 13.2.1 20240417] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from diffoscope.comparators.python import parse_pyc
>>> len(list(parse_pyc(open("a.pyc", "rb"))))
2510
>>> 
corrupted size vs. prev_size
[1]    15886 IOT instruction (core dumped)  python

This gets me the following traceback:

(gdb) bt full
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = <optimized out>
        old_mask = {__val = {140737488344448}}
        ret = <optimized out>
#1  0x00007ffff76a8eb3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78
No locals.
#2  0x00007ffff7650a30 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x00007ffff76384c3 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {563003392984950430, 140737338523248, 140737347523616, 
              140737338523408, 0, 140737335247376, 140737334969392, 8, 93824994291376, 140737338523248, 140737347523616, 15, 5, 140737333430000, 
              140737334971376, 16}}, sa_flags = -1259926528, sa_restorer = 0xf}
#4  0x00007ffff7639354 in __libc_message_impl (fmt=fmt@entry=0x7ffff77c22ea "%s\n") at ../sysdeps/posix/libc_fatal.c:132
        ap = {{gp_offset = 16, fp_offset = 32767, overflow_arg_area = 0x7fffffffd7b0, reg_save_area = 0x7fffffffd740}}
        fd = 2
        iov = {{iov_base = 0x7ffff77bffe1, iov_len = 28}, {iov_base = 0x7ffff77c22ec, iov_len = 1}, {iov_base = 0x7ffff711be70, iov_len = 140737347523616}, {
            iov_base = 0x5555556bceb0, iov_len = 40}, {iov_base = 0x555555817c50, iov_len = 140737333753808}, {iov_base = 0x80, iov_len = 93824995122304}, {
            iov_base = 0x7f, iov_len = 140737347269691}}
        iovcnt = <optimized out>
        total = <optimized out>
        cp = <optimized out>
#5  0x00007ffff76b3085 in malloc_printerr (str=str@entry=0x7ffff77bffe1 "corrupted size vs. prev_size") at malloc.c:5772
No locals.
#6  0x00007ffff76b3c16 in unlink_chunk (p=p@entry=0x5555557f5fa0, av=0x7ffff77f6ac0 <main_arena>) at malloc.c:1611
        fd = <optimized out>
        bk = <optimized out>
#7  0x00007ffff76b3e6c in _int_free_create_chunk (av=av@entry=0x7ffff77f6ac0 <main_arena>, p=p@entry=0x5555557f5d10, size=size@entry=656, 
    nextchunk=nextchunk@entry=0x5555557f5fa0, nextsize=nextsize@entry=656) at malloc.c:4721
        nextinuse = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
#8  0x00007ffff76b51ca in _int_free_merge_chunk (av=0x7ffff77f6ac0 <main_arena>, p=0x5555557f5d10, size=656) at malloc.c:4700
        nextchunk = 0x5555557f5fa0
        nextsize = 656
#9  0x00007ffff76b53ea in _int_free (av=<optimized out>, p=p@entry=0x5555557f5d10, have_lock=<optimized out>, have_lock@entry=0) at malloc.c:4646
        size = <optimized out>
        fb = <optimized out>
#10 0x00007ffff76b7dae in __GI___libc_free (mem=mem@entry=0x5555557f5d20) at malloc.c:3398
        ar_ptr = <optimized out>
        p = 0x5555557f5d10
        err = 0
#11 0x00007ffff79adb0c in _PyMem_RawFree (_unused_ctx=<optimized out>, ptr=0x5555557f5d20) at Objects/obmalloc.c:73
No locals.
#12 PyMem_RawFree (ptr=0x5555557f5d20) at Objects/obmalloc.c:685
No locals.
#13 _PyObject_Free (p=0x5555557f5d20, ctx=<optimized out>) at Objects/obmalloc.c:1853
        state = 0x7ffff7dc6140 <_PyRuntime+80352>
        state = <optimized out>
#14 PyObject_Free (ptr=0x5555557f5d20) at Objects/obmalloc.c:830
No locals.
#15 code_dealloc (co=0x5555557f5d20) at Objects/codeobject.c:1745
No locals.
#16 0x00007ffff799db11 in Py_DECREF (op=<optimized out>) at ./Include/object.h:705
No locals.
#17 func_dealloc (op=0x7ffff6b15260) at Objects/funcobject.c:856
No locals.
#18 0x00007ffff79827a0 in _Py_Dealloc (op=<optimized out>) at Objects/object.c:2625
        type = <optimized out>
        dealloc = <optimized out>
#19 Py_DECREF (op=<optimized out>) at ./Include/object.h:705
No locals.
#20 Py_XDECREF (op=<optimized out>) at ./Include/object.h:798
No locals.
#21 free_keys_object (interp=0x7ffff7dc51c8 <_PyRuntime+76392>, keys=0x55555581bbb0) at Objects/dictobject.c:673
        entries = <optimized out>
        i = 76
        n = <optimized out>
        state = <optimized out>
#22 0x00007ffff7a6e0ab in type_clear (type=0x55555581a8c0) at Objects/typeobject.c:5295
        dict = <optimized out>
#23 0x00007ffff798fc7a in delete_garbage (old=0x7ffff7dc5280 <_PyRuntime+76576>, collectable=0x7fffffffd9c0, gcstate=0x7ffff7dc5238 <_PyRuntime+76504>, 
    tstate=0x7ffff7e22ae8 <_PyRuntime+459656>) at Modules/gcmodule.c:1029
        clear = <optimized out>
        gc = <optimized out>
        op = 0x55555581a8c0
#24 gc_collect_main (tstate=tstate@entry=0x7ffff7e22ae8 <_PyRuntime+459656>, generation=generation@entry=2, n_collected=n_collected@entry=0x0, 
    n_uncollectable=n_uncollectable@entry=0x0, nofail=nofail@entry=1) at Modules/gcmodule.c:1303
        i = <optimized out>
        m = 3913
        n = 0
        young = 0x7ffff7dc5280 <_PyRuntime+76576>
        old = <optimized out>
        unreachable = {_gc_next = 140737488345520, _gc_prev = 140737488345520}
        finalizers = {_gc_next = 140737488345504, _gc_prev = 140737488345504}
        gc = <optimized out>
        t1 = 0
        gcstate = 0x7ffff7dc5238 <_PyRuntime+76504>
        final_unreachable = {_gc_next = 93824995141808, _gc_prev = 140737332415728}
        stats = <optimized out>
#25 0x00007ffff7a759fc in _PyGC_CollectNoFail (tstate=tstate@entry=0x7ffff7e22ae8 <_PyRuntime+459656>) at Modules/gcmodule.c:2135
        gcstate = 0x7ffff7dc5238 <_PyRuntime+76504>
        n = <optimized out>
#26 0x00007ffff7a74ab4 in finalize_modules (tstate=tstate@entry=0x7ffff7e22ae8 <_PyRuntime+459656>) at Python/pylifecycle.c:1588
        interp = <optimized out>
        modules = 0x7ffff7190200
        verbose = <optimized out>
        weaklist = 0x7ffff7191200
#27 0x00007ffff7a5e406 in Py_FinalizeEx () at Python/pylifecycle.c:1889
        status = <optimized out>
        runtime = 0x7ffff7db2760 <_PyRuntime>
        tstate = <optimized out>
        malloc_stats = <optimized out>
#28 0x00007ffff7a6ccf2 in Py_RunMain () at Modules/main.c:711
        exitcode = 0
#29 0x00007ffff7a28fab in Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:763
        args = {argc = 1, use_bytes_argv = 1, bytes_argv = 0x7fffffffde58, wchar_argv = 0x0}
#30 0x00007ffff7639c88 in __libc_start_call_main (main=main@entry=0x555555555120 <main>, argc=argc@entry=1, argv=argv@entry=0x7fffffffde58)
    at ../sysdeps/nptl/libc_start_call_main.h:58
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737488346712, 6779890582023430464, 1, 0, 140737354125312, 93824992247232, 6779890582008750400, 
                6779909378961826112}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x1, 0x7fffffffde50}, data = {prev = 0x0, cleanup = 0x0, 
              canceltype = 1}}}
        not_first_call = <optimized out>
#31 0x00007ffff7639d4c in __libc_start_main_impl (main=0x555555555120 <main>, argc=1, argv=0x7fffffffde58, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffde48) at ../csu/libc-start.c:360
No locals.
#32 0x0000555555555045 in _start ()
No symbol table info available.

I have also looked at previous issues issues, but it seems like they are either unrelated or a few years old.

The issue occurs and was tested on Arch Linux with the python 3.12.3-1 package.

I'm happy to provide more input or test things if that helps with debugging the issue!

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.12.3 (main, Apr 23 2024, 09:16:07) [GCC 13.2.1 20240417]
@christian-heusel christian-heusel added the type-crash A hard crash of the interpreter, possibly with a core dump label May 13, 2024
@sobolevn
Copy link
Member

Can you please provide a standalone reproduction?

@christian-heusel
Copy link
Author

christian-heusel commented May 13, 2024
edited

You can reproduce the string on top of it (the input file a.pyc from #118990 (comment)) by running the following:

$ curl -s https://archive.archlinux.org/packages/a/ansible/ansible-9.4.0-2-any.pkg.tar.zst | \
    tar --zstd --extract --to-stdout usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/modules/__pycache__/ec2_vpc_igw.cpython-311.opt-1.pyc | \
    base64

Also this is a bit insane, but gets the job of being a standalone reproducer done 😆

import re
import io
import binascii
import time
import struct
import marshal
import dis
import types
import base64

input_pyc = """
pw0NCgMAAACI9uYRDNk7hOMAAAAAAAAAAAAAAAAEAAAAAAAAAPMUAQAAlwBkAFoAZAFaAWQCWgIJ
AGQDZARsA1oDbgsjAGUEJAByAwEAWQBuBHcAeANZAHcBZANkBWwFbQZaBgEAZANkBmwHbQhaCAEA
ZANkB2wJbQpaCgEAZANkCGwLbQxaDAEAZANkCWwNbQ5aDgEAZANkCmwNbQ9aDwEAZANkC2wQbRFa
EQEAZANkDGwSbRNaEwEAAgBlDGoUAAAAAAAAAABkDWQNrA6mAgAAqwIAAAAAAAAAAGQPhACmAAAA
qwAAAAAAAAAAAFoVZBCEAFoWAgBHAGQRhABkEqYCAACrAgAAAAAAAAAAWhdkE4QAWhhlGWQUawIA
AAAAcgwCAGUYpgAAAKsAAAAAAAAAAAABAGQEUwBkBFMAKRVhYQUAAAotLS0KbW9kdWxlOiBlYzJf
dnBjX2lndwp2ZXJzaW9uX2FkZGVkOiAxLjAuMApzaG9ydF9kZXNjcmlwdGlvbjogTWFuYWdlIGFu
IEFXUyBWUEMgSW50ZXJuZXQgZ2F0ZXdheQpkZXNjcmlwdGlvbjoKICAgIC0gTWFuYWdlIGFuIEFX
UyBWUEMgSW50ZXJuZXQgZ2F0ZXdheQphdXRob3I6IFJvYmVydCBFc3RlbGxlIChAZXJ5ZG8pCm9w
dGlvbnM6CiAgaW50ZXJuZXRfZ2F0ZXdheV9pZDoKICAgIHZlcnNpb25fYWRkZWQ6IDcuMC4wCiAg
ICBkZXNjcmlwdGlvbjoKICAgICAgLSBUaGUgSUQgb2YgSW50ZXJuZXQgR2F0ZXdheSB0byBtYW5h
Z2UuCiAgICByZXF1aXJlZDogZmFsc2UKICAgIHR5cGU6IHN0cgogIHZwY19pZDoKICAgIGRlc2Ny
aXB0aW9uOgogICAgICAtIFRoZSBWUEMgSUQgZm9yIHRoZSBWUEMgdG8gYXR0YWNoICh3aGVuIHN0
YXRlPXByZXNlbnQpCiAgICAgIC0gVlBDIElEIGNhbiBhbHNvIGJlIHByb3ZpZGVkIHRvIGZpbmQg
dGhlIGludGVybmV0IGdhdGV3YXkgdG8gbWFuYWdlIHRoYXQgdGhlIFZQQyBpcyBhdHRhY2hlZCB0
bwogICAgcmVxdWlyZWQ6IGZhbHNlCiAgICB0eXBlOiBzdHIKICBzdGF0ZToKICAgIGRlc2NyaXB0
aW9uOgogICAgICAtIENyZWF0ZSBvciB0ZXJtaW5hdGUgdGhlIElHVwogICAgZGVmYXVsdDogcHJl
c2VudAogICAgY2hvaWNlczogWyAncHJlc2VudCcsICdhYnNlbnQnIF0KICAgIHR5cGU6IHN0cgog
IGZvcmNlX2F0dGFjaDoKICAgIHZlcnNpb25fYWRkZWQ6IDcuMC4wCiAgICBkZXNjcmlwdGlvbjoK
ICAgICAgLSBGb3JjZSBhdHRhY2hpbmcgVlBDIHRvIEkodnBjX2lkKS4KICAgICAgLSBTZXR0aW5n
IHRoaXMgb3B0aW9uIHRvIHRydWUgd2lsbCBkZXRhY2ggYW4gZXhpc3RpbmcgVlBDIGF0dGFjaG1l
bnQgYW5kIGF0dGFjaCB0byB0aGUgc3VwcGxpZWQgSSh2cGNfaWQpLgogICAgICAtIElnbm9yZWQg
d2hlbiBJKHN0YXRlPWFic2VudCkuCiAgICAgIC0gSSh2cGNfaWQpIG11c3QgYmUgc3BlY2lmaWVk
IHdoZW4gSShmb3JjZV9hdHRhY2gpIGlzIHRydWUKICAgIGRlZmF1bHQ6IGZhbHNlCiAgICB0eXBl
OiBib29sCiAgZGV0YWNoX3ZwYzoKICAgIHZlcnNpb25fYWRkZWQ6IDcuMC4wCiAgICBkZXNjcmlw
dGlvbjoKICAgICAgLSBSZW1vdmUgYXR0YWNoZWQgVlBDIGZyb20gZ2F0ZXdheQogICAgZGVmYXVs
dDogZmFsc2UKICAgIHR5cGU6IGJvb2wKbm90ZXM6Ci0gU3VwcG9ydCBmb3IgSShwdXJnZV90YWdz
KSB3YXMgYWRkZWQgaW4gcmVsZWFzZSAxLjMuMC4KZXh0ZW5kc19kb2N1bWVudGF0aW9uX2ZyYWdt
ZW50OgogIC0gYW1hem9uLmF3cy5jb21tb24ubW9kdWxlcwogIC0gYW1hem9uLmF3cy5yZWdpb24u
bW9kdWxlcwogIC0gYW1hem9uLmF3cy50YWdzCiAgLSBhbWF6b24uYXdzLmJvdG8zCmE4BQAACiMg
Tm90ZTogVGhlc2UgZXhhbXBsZXMgZG8gbm90IHNldCBhdXRoZW50aWNhdGlvbiBkZXRhaWxzLCBz
ZWUgdGhlIEFXUyBHdWlkZSBmb3IgZGV0YWlscy4KCiMgRW5zdXJlIHRoYXQgdGhlIFZQQyBoYXMg
YW4gSW50ZXJuZXQgR2F0ZXdheS4KIyBUaGUgSW50ZXJuZXQgR2F0ZXdheSBJRCBpcyBjYW4gYmUg
YWNjZXNzZWQgdmlhIHt7aWd3LmdhdGV3YXlfaWR9fSBmb3IgdXNlIGluIHNldHRpbmcgdXAgTkFU
cyBldGMuCi0gbmFtZTogQ3JlYXRlIEludGVybmV0IGdhdGV3YXkKICBhbWF6b24uYXdzLmVjMl92
cGNfaWd3OgogICAgdnBjX2lkOiB2cGMtYWJjZGVmZ2gKICAgIHN0YXRlOiBwcmVzZW50CiAgcmVn
aXN0ZXI6IGlndwoKLSBuYW1lOiBDcmVhdGUgSW50ZXJuZXQgZ2F0ZXdheSB3aXRoIHRhZ3MKICBh
bWF6b24uYXdzLmVjMl92cGNfaWd3OgogICAgdnBjX2lkOiB2cGMtYWJjZGVmZ2gKICAgIHN0YXRl
OiBwcmVzZW50CiAgICB0YWdzOgogICAgICBUYWcxOiB0YWcxCiAgICAgIFRhZzI6IHRhZzIKICBy
ZWdpc3RlcjogaWd3CgotIG5hbWU6IENyZWF0ZSBhIGRldGFjaGVkIGdhdGV3YXkKICBhbWF6b24u
YXdzLmVjMl92cGNfaWd3OgogICAgc3RhdGU6IHByZXNlbnQKICByZWdpc3RlcjogaWd3CgotIG5h
bWU6IENoYW5nZSB0aGUgVlBDIHRoZSBnYXRld2F5IGlzIGF0dGFjaGVkIHRvCiAgYW1hem9uLmF3
cy5lYzJfdnBjX2lndzoKICAgIGludGVybmV0X2dhdGV3YXlfaWQ6IGlndy1hYmNkZWZnaAogICAg
dnBjX2lkOiB2cGMtc3R1dnd4eXoKICAgIGZvcmNlX2F0dGFjaDogdHJ1ZQogICAgc3RhdGU6IHBy
ZXNlbnQKICByZWdpc3RlcjogaWd3CgotIG5hbWU6IERlbGV0ZSBJbnRlcm5ldCBnYXRld2F5IHVz
aW5nIHRoZSBhdHRhY2hlZCB2cGMgaWQKICBhbWF6b24uYXdzLmVjMl92cGNfaWd3OgogICAgc3Rh
dGU6IGFic2VudAogICAgdnBjX2lkOiB2cGMtYWJjZGVmZ2gKICByZWdpc3RlcjogdnBjX2lnd19k
ZWxldGUKCi0gbmFtZTogRGVsZXRlIEludGVybmV0IGdhdGV3YXkgd2l0aCBnYXRld2F5IGlkCiAg
YW1hem9uLmF3cy5lYzJfdnBjX2lndzoKICAgIHN0YXRlOiBhYnNlbnQKICAgIGludGVybmV0X2dh
dGV3YXlfaWQ6IGlndy1hYmNkZWZnaAogIHJlZ2lzdGVyOiB2cGNfaWd3X2RlbGV0ZQoKLSBuYW1l
OiBEZWxldGUgSW50ZXJuZXQgZ2F0ZXdheSBlbnN1cmluZyBhdHRhY2hlZCBWUEMgaXMgY29ycmVj
dAogIGFtYXpvbi5hd3MuZWMyX3ZwY19pZ3c6CiAgICBzdGF0ZTogYWJzZW50CiAgICBpbnRlcm5l
dF9nYXRld2F5X2lkOiBpZ3ctYWJjZGVmZ2gKICAgIHZwY19pZDogdnBjLWFiY2RlZmdoCiAgcmVn
aXN0ZXI6IHZwY19pZ3dfZGVsZXRlCmFVAgAACmNoYW5nZWQ6CiAgZGVzY3JpcHRpb246IElmIGFu
eSBjaGFuZ2VzIGhhdmUgYmVlbiBtYWRlIHRvIHRoZSBJbnRlcm5ldCBHYXRld2F5LgogIHR5cGU6
IGJvb2wKICByZXR1cm5lZDogYWx3YXlzCiAgc2FtcGxlOgogICAgY2hhbmdlZDogZmFsc2UKZ2F0
ZXdheV9pZDoKICBkZXNjcmlwdGlvbjogVGhlIHVuaXF1ZSBpZGVudGlmaWVyIGZvciB0aGUgSW50
ZXJuZXQgR2F0ZXdheS4KICB0eXBlOiBzdHIKICByZXR1cm5lZDogSShzdGF0ZT1wcmVzZW50KQog
IHNhbXBsZToKICAgIGdhdGV3YXlfaWQ6ICJpZ3ctWFhYWFhYWFgiCnRhZ3M6CiAgZGVzY3JpcHRp
b246IFRoZSB0YWdzIGFzc29jaWF0ZWQgdGhlIEludGVybmV0IEdhdGV3YXkuCiAgdHlwZTogZGlj
dAogIHJldHVybmVkOiBJKHN0YXRlPXByZXNlbnQpCiAgc2FtcGxlOgogICAgdGFnczoKICAgICAg
IkFuc2libGUiOiAiVGVzdCIKdnBjX2lkOgogIGRlc2NyaXB0aW9uOiBUaGUgVlBDIElEIGFzc29j
aWF0ZWQgd2l0aCB0aGUgSW50ZXJuZXQgR2F0ZXdheS4KICB0eXBlOiBzdHIKICByZXR1cm5lZDog
SShzdGF0ZT1wcmVzZW50KQogIHNhbXBsZToKICAgIHZwY19pZDogInZwYy1YWFhYWFhYWCIK6QAA
AABOKQHaGGNhbWVsX2RpY3RfdG9fc25ha2VfZGljdCkB2g9lbnN1cmVfZWMyX3RhZ3MpAdoQQW5z
aWJsZUFXU01vZHVsZSkB2ghBV1NSZXRyeakB2h5ib3RvM190YWdfbGlzdF90b19hbnNpYmxlX2Rp
Y3QpAdoYYm90bzNfdGFnX3NwZWNpZmljYXRpb25zKQHaIWFuc2libGVfZGljdF90b19ib3RvM19m
aWx0ZXJfbGlzdCkB2gpnZXRfd2FpdGVy6QoAAAApAtoHcmV0cmllc9oFZGVsYXljAQAAAAAAAAAA
AAAABQAAAAsAAADzdgAAAJcAfACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAGmAQAAqwEAAAAAAAAA
AH0CAgB8AmoBAAAAAAAAAABkA2kAfAGkAY4BoAIAAAAAAAAAAAAAAAAAAAAAAAAAAKYAAACrAAAA
AAAAAAAAZAIZAAAAAAAAAAAAUwApBE7aGmRlc2NyaWJlX2ludGVybmV0X2dhdGV3YXlz2hBJbnRl
cm5ldEdhdGV3YXlzqQCpA9oNZ2V0X3BhZ2luYXRvctoIcGFnaW5hdGXaEWJ1aWxkX2Z1bGxfcmVz
dWx0qQPaCmNvbm5lY3Rpb27aBnBhcmFtc9oJcGFnaW5hdG9ycwMAAAAgICD6Xy91c3IvbGliL3B5
dGhvbjMuMTEvc2l0ZS1wYWNrYWdlcy9hbnNpYmxlX2NvbGxlY3Rpb25zL2FtYXpvbi9hd3MvcGx1
Z2lucy9tb2R1bGVzL2VjMl92cGNfaWd3LnB52hpkZXNjcmliZV9pZ3dzX3dpdGhfYmFja29mZnIc
AAAAmwAAAHNBAAAAgADgEBrXECjSECjQKUXREEbUEEaASdgLHYg51Asd0Asn0AsnoAbQCyfQCyfX
CznSCznRCzvUCzvQPE7UC0/QBE/zAAAAAGMBAAAAAAAAAAAAAAAFAAAACwAAAPN2AAAAlwB8AKAA
AAAAAAAAAAAAAAAAAAAAAAAAAABkAaYBAACrAQAAAAAAAAAAfQICAHwCagEAAAAAAAAAAGQDaQB8
AaQBjgGgAgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAABkAhkAAAAAAAAAAABTACkE
TtoNZGVzY3JpYmVfdnBjc9oEVnBjc3ISAAAAchMAAAByFwAAAHMDAAAAICAgchsAAADaGmRlc2Ny
aWJlX3ZwY3Nfd2l0aF9iYWNrb2ZmciEAAAChAAAAcz8AAACAANgQGtcQKNIQKKgf0RA51BA5gEnY
Cx2IOdQLHdALJ9ALJ6AG0Asn0Asn1ws50gs50Qs71As7uEbUC0PQBENyHQAAAGMAAAAAAAAAAAAA
AAACAAAAAAAAAPNWAAAAlwBlAFoBZABaAmQBhABaA2QChABaBGQLZASEAVoFZAWEAFoGZQdkBoQA
pgAAAKsAAAAAAAAAAABaCGQHhABaCWQIhABaCmQJhABaC2QKhABaDGQDUwApDNoNQW5zaWJsZUVj
Mklnd2MDAAAAAAAAAAAAAAAFAAAAAwAAAPOoAAAAlwB8AXwAXwAAAAAAAAAAAHwCfABfAQAAAAAA
AAAAfABqAAAAAAAAAAAAoAIAAAAAAAAAAAAAAAAAAAAAAAAAAGQBdAcAAAAAAAAAAAAAagQAAAAA
AAAAAKYAAACrAAAAAAAAAAAArAKmAgAAqwIAAAAAAAAAAHwAXwUAAAAAAAAAAHwAagAAAAAAAAAA
AGoGAAAAAAAAAAB8AF8HAAAAAAAAAABkAFMAKQNO2gNlYzIpAdoPcmV0cnlfZGVjb3JhdG9yKQja
B19tb2R1bGXaCF9yZXN1bHRz2gZjbGllbnRyBgAAANoQaml0dGVyZWRfYmFja29mZtoLX2Nvbm5l
Y3Rpb27aCmNoZWNrX21vZGXaC19jaGVja19tb2RlKQPaBHNlbGbaBm1vZHVsZdoHcmVzdWx0c3MD
AAAAICAgchsAAADaCF9faW5pdF9fehZBbnNpYmxlRWMySWd3Ll9faW5pdF9fpwAAAHNJAAAAgADY
Fx2IBIwM2BgfiASMDdgbH5w81xsu0hsuqHXFaNRGX9FGYdRGYdAbLtEbYtQbYogE1AgY2BsfnDzU
GzKIBNQIGNAIGNAIGHIdAAAAYwEAAAAAAAAAAAAAAAgAAAADAAAA8zoCAACXAHwAagAAAAAAAAAA
AGoBAAAAAAAAAACgAgAAAAAAAAAAAAAAAAAAAAAAAAAAZAGmAQAAqwEAAAAAAAAAAH0BfABqAAAA
AAAAAAAAagEAAAAAAAAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAABkAqYBAACrAQAAAAAAAAAAfQJ8
AGoAAAAAAAAAAABqAQAAAAAAAAAAoAIAAAAAAAAAAAAAAAAAAAAAAAAAAGQDZASmAgAAqwIAAAAA
AAAAAH0DfABqAAAAAAAAAAAAagEAAAAAAAAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAABkBaYBAACr
AQAAAAAAAAAAfQR8AGoAAAAAAAAAAABqAQAAAAAAAAAAoAIAAAAAAAAAAAAAAAAAAAAAAAAAAGQG
pgEAAKsBAAAAAAAAAAB9BXwAagAAAAAAAAAAAGoBAAAAAAAAAACgAgAAAAAAAAAAAAAAAAAAAAAA
AAAAZAemAQAAqwEAAAAAAAAAAH0GfABqAAAAAAAAAAAAagEAAAAAAAAAAKACAAAAAAAAAAAAAAAA
AAAAAAAAAABkCKYBAACrAQAAAAAAAAAAfQd8A2QEawIAAAAAchx8AKADAAAAAAAAAAAAAAAAAAAA
AAAAAAB8AXwCfAR8BXwGfAemBgAAqwYAAAAAAAAAAAEAZABTAHwDZAlrAgAAAAByGHwAoAQAAAAA
AAAAAAAAAAAAAAAAAAAAAHwBfAKmAgAAqwIAAAAAAAAAAAEAZABTAGQAUwApCk7aE2ludGVybmV0
X2dhdGV3YXlfaWTaBnZwY19pZNoFc3RhdGXaB3ByZXNlbnTaBHRhZ3PaCnB1cmdlX3RhZ3PaDGZv
cmNlX2F0dGFjaNoKZGV0YWNoX3ZwY9oGYWJzZW50KQVyJwAAAHIZAAAA2gNnZXTaEmVuc3VyZV9p
Z3dfcHJlc2VudNoRZW5zdXJlX2lnd19hYnNlbnQpCHIuAAAAcjMAAAByNAAAAHI1AAAAcjcAAABy
OAAAAHI5AAAAcjoAAABzCAAAACAgICAgICAgchsAAADaB3Byb2Nlc3N6FUFuc2libGVFYzJJZ3cu
cHJvY2Vzc60AAABzEAEAAIAA2B4inGzUHjHXHjXSHjXQNkvRHkzUHkzQCBvYERWUHNQRJNcRKNIR
KKgY0REy1BEyiAbYEBSUDNQQI9cQJ9IQJ6gHsBnREDvUEDuIBdgPE4x81A8i1w8m0g8moHbRDy7U
Dy6IBNgVGZRc1BUo1xUs0hUsqFzRFTrUFTqICtgXG5R81Bcq1xcu0hcuqH7RFz7UFz6IDNgVGZRc
1BUo1xUs0hUsqFzRFTrUFTqICuALEJBJ0gsd0Asd2AwQ1wwj0gwj0CQ3uBbAFMB60FNf0GFr0Qxs
1Axs0Axs0Axs0Axs2A0SkGjSDR7QDR7YDBDXDCLSDCLQIza4BtEMP9QMP9AMP9AMP9AMP/ADAA4f
0A0ech0AAABOYwMAAAAAAAAAAAAAAAUAAAADAAAA87wBAACXAAkAfAJzKHQBAAAAAAAAAAAAAGQB
fAFpAaYBAACrAQAAAAAAAAAAfQN0AwAAAAAAAAAAAAB8AGoCAAAAAAAAAAB8A6wCpgIAAKsCAAAA
AAAAAAB9BG4XdAMAAAAAAAAAAAAAfABqAgAAAAAAAAAAfAJnAawDpgIAAKsCAAAAAAAAAAB9BG5M
IwB0BgAAAAAAAAAAAABqBAAAAAAAAAAAagUAAAAAAAAAAHQGAAAAAAAAAAAAAGoEAAAAAAAAAABq
BgAAAAAAAAAAZgIkAHIkfQV8AGoHAAAAAAAAAACgCAAAAAAAAAAAAAAAAAAAAAAAAAAAfAWmAQAA
qwEAAAAAAAAAAAEAWQBkBH0FfgVuCGQEfQV+BXcBdwB4A1kAdwFkBH0GdBMAAAAAAAAAAAAAfASm
AQAAqwEAAAAAAAAAAGQFawQAAAAAciB8AGoHAAAAAAAAAACgCgAAAAAAAAAAAAAAAAAAAAAAAAAA
ZAZ8AZsAZAedA6wIpgEAAKsBAAAAAAAAAAABAG4XfARyFXQXAAAAAAAAAAAAAHwEZAkZAAAAAAAA
AAAApgEAAKsBAAAAAAAAAAB9BnwGUwApCmENAQAACiAgICAgICAgUmV0dXJucyB0aGUgaW50ZXJu
ZXQgZ2F0ZXdheSBmb3VuZC4KICAgICAgICAgICAgUGFyYW1ldGVyczoKICAgICAgICAgICAgICAg
IHZwY19pZCAoc3RyKTogVlBDIElECiAgICAgICAgICAgICAgICBnYXRld2F5X2lkIChzdHIpOiBJ
bnRlcm5ldCBHYXRld2F5IElELCBpZiBzcGVjaWZpZWQKICAgICAgICAgICAgUmV0dXJuczoKICAg
ICAgICAgICAgICAgIGlndyAoZGljdCk6IGRpY3Qgb2YgaWd3IGZvdW5kLCBOb25lIGlmIG5vbmUg
Zm91bmQKICAgICAgICB6EWF0dGFjaG1lbnQudnBjLWlkKQHaB0ZpbHRlcnOpAdoSSW50ZXJuZXRH
YXRld2F5SWRzTukBAAAAejRFQzIgcmV0dXJuZWQgbW9yZSB0aGFuIG9uZSBJbnRlcm5ldCBHYXRl
d2F5IGZvciBWUEMg+gosIGFib3J0aW5nqQHaA21zZ3ICAAAAKQxyCgAAAHIcAAAAcisAAADaCGJv
dG9jb3Jl2gpleGNlcHRpb25z2gtDbGllbnRFcnJvctoNQm90b0NvcmVFcnJvcnInAAAA2g1mYWls
X2pzb25fYXdz2gNsZW7aCWZhaWxfanNvbnIDAAAAKQdyLgAAAHI0AAAA2gpnYXRld2F5X2lk2gdm
aWx0ZXJz2gRpZ3dz2gFl2gNpZ3dzBwAAACAgICAgICByGwAAANoQZ2V0X21hdGNoaW5nX2lnd3oe
QW5zaWJsZUVjMklndy5nZXRfbWF0Y2hpbmdfaWd3uwAAAHMJAQAAgADwEgkJKvAGABQe8AAEDWUB
3Ro70D1Q0FJY0DxZ0Rpa1BpakAfdFzGwJNQyQshH0BdU0RdU1BdUkASQBOUXMbAk1DJC0Fhi0Fdj
0Bdk0Rdk1BdkkAT4+N0QGNQQI9QQL7UY1DFE1DFS0A9T8AABCSrwAAEJKvAAAQkq2AwQjEzXDCbS
DCagcdEMKdQMKdAMKdAMKdAMKdAMKdAMKdAMKfj4+PjwAwEJKvj4+PAGAA8TiAPdCw6IdIk5jDmQ
cYo9iD3YDBCMTNcMItIMItAncNBeZNAncNAncNAncNAMItEMcdQMcdAMcdAMcdgNEfAAAQk03RIq
qDSwAaw30RIz1BIziEPgDxKICnMYAAAAgkEBQQQAwQQlQg0DwSkaQggDwggFQg0DYwIAAAAAAAAA
AAAAAAYAAAADAAAA88gBAACXAAkAdAEAAAAAAAAAAAAAfABqAQAAAAAAAAAAfAFnAawBpgIAAKsC
AAAAAAAAAAB9Am58IwB0BAAAAAAAAAAAAABqAwAAAAAAAAAAagQAAAAAAAAAAHQEAAAAAAAAAAAA
AGoDAAAAAAAAAABqBQAAAAAAAAAAZgIkAHJUfQNkAnQNAAAAAAAAAAAAAHwDpgEAAKsBAAAAAAAA
AAB2AHIffABqBwAAAAAAAAAAoAgAAAAAAAAAAAAAAAAAAAAAAAAAAGQDfAGbAGQEnQOsBaYBAACr
AQAAAAAAAAAAAQB8AGoHAAAAAAAAAACgCQAAAAAAAAAAAAAAAAAAAAAAAAAAfAOmAQAAqwEAAAAA
AAAAAAEAWQBkBn0DfgNuCGQGfQN+A3cBdwB4A1kAdwFkBn0EdBUAAAAAAAAAAAAAfAKmAQAAqwEA
AAAAAAAAAGQHawQAAAAAciB8AGoHAAAAAAAAAACgCAAAAAAAAAAAAAAAAAAAAAAAAAAAZAh8AZsA
ZAmdA6wFpgEAAKsBAAAAAAAAAAABAG4XfAJyFXQXAAAAAAAAAAAAAHwCZAoZAAAAAAAAAAAApgEA
AKsBAAAAAAAAAAB9BHwEUwApC3rOCiAgICAgICAgUmV0dXJucyB0aGUgdmlydHVhbCBwcml2YXRl
IGNsb3VkIGZvdW5kLgogICAgICAgICAgICBQYXJhbWV0ZXJzOgogICAgICAgICAgICAgICAgdnBj
X2lkIChzdHIpOiBWUEMgSUQKICAgICAgICAgICAgUmV0dXJuczoKICAgICAgICAgICAgICAgIHZw
YyAoZGljdCk6IGRpY3Qgb2YgdnBjIGZvdW5kLCBOb25lIGlmIG5vbmUgZm91bmQKICAgICAgICAp
AdoGVnBjSWRzehVJbnZhbGlkVnBjSUQuTm90Rm91bmR6DFZQQyB3aXRoIElkIHoUIG5vdCBmb3Vu
ZCwgYWJvcnRpbmdyRgAAAE5yRAAAAHojRUMyIHJldHVybmVkIG1vcmUgdGhhbiBvbmUgVlBDIGZv
ciByRQAAAHICAAAAKQxyIQAAAHIrAAAAckgAAABySQAAAHJKAAAAcksAAADaA3N0cnInAAAAck4A
AAByTAAAAHJNAAAAcgMAAAApBXIuAAAAcjQAAADaBHZwY3NyUgAAANoDdnBjcwUAAAAgICAgIHIb
AAAA2hBnZXRfbWF0Y2hpbmdfdnBjeh5BbnNpYmxlRWMySWd3LmdldF9tYXRjaGluZ192cGPXAAAA
cwcBAACAAPAQBgkq3RMtqGTULj7IBsB40BNQ0RNQ1BNQiESIRPjdEBjUECPUEC+1GNQxRNQxUtAP
U/AABAkq8AAECSrwAAQJKuAPJq0jqGGpJqwm0A8w0A8w2BAUlAzXECbSECbQK1a4JtArVtArVtAr
VtAQJtEQV9QQV9AQV9gMEIxM1wwm0gwmoHHRDCnUDCnQDCnQDCnQDCnQDCnQDCnQDCn4+Pj48AkE
CSr4+PjwDAAPE4gD3QsOiHSJOYw5kHGKPYg92AwQjEzXDCLSDCLQJ1/IVtAnX9AnX9AnX9AMItEM
YNQMYNAMYNAMYNgNEfAAAQk03RIqqDSwAaw30RIz1BIziEPgDxKICnMVAAAAghcaAJolQhMDv0EK
Qg4Dwg4FQhMDYwIAAAAAAAAAAAAAAAUAAAADAAAA80AAAACXAHwAZAEZAAAAAAAAAAAAdAEAAAAA
AAAAAAAAfABkAhkAAAAAAAAAAACmAQAAqwEAAAAAAAAAAHwBZAOcA1MAKQROcjMAAAByNwAAACkD
ck8AAAByNwAAAHI0AAAAcgcAAAApAnJTAAAAcjQAAABzAgAAACAgchsAAADaDGdldF9pZ3dfaW5m
b3oaQW5zaWJsZUVjMklndy5nZXRfaWd3X2luZm/vAAAAcy4AAACAAPAGABse0B4z1Bo03RQysDOw
drQ70RQ/1BQ/2BYc8AcEEArwAAQQCvAABAkKch0AAABjAwAAAAAAAAAAAAAABQAAAAMAAADz0gAA
AJcACQB8AGoAAAAAAAAAAACgAQAAAAAAAAAAAAAAAAAAAAAAAAAAZAF8AXwCrAKmAwAAqwMAAAAA
AAAAAAEAZAF8AGoCAAAAAAAAAABkAzwAAABkAFMAIwB0BgAAAAAAAAAAAABqBAAAAAAAAAAAagUA
AAAAAAAAACQAcid9A3wAagYAAAAAAAAAAKAHAAAAAAAAAAAAAAAAAAAAAAAAAAB8A2QErAWmAgAA
qwIAAAAAAAAAAAEAWQBkAH0DfgNkAFMAZAB9A34DdwF3AHgDWQB3ASkGTlSpA9oJYXdzX3JldHJ5
2hFJbnRlcm5ldEdhdGV3YXlJZNoFVnBjSWTaB2NoYW5nZWR6FVVuYWJsZSB0byBkZXRhY2ggVlBD
LnJGAAAAKQhyKwAAANoXZGV0YWNoX2ludGVybmV0X2dhdGV3YXlyKAAAAHJIAAAAckkAAADaC1dh
aXRlckVycm9ycicAAAByTAAAACkEci4AAADaBmlnd19pZHI0AAAAclIAAABzBAAAACAgICByGwAA
AHI6AAAAehhBbnNpYmxlRWMySWd3LmRldGFjaF92cGP3AAAAc5EAAACAAPACBQlHAdgMENQMHNcM
NNIMNLh00Fdd0GVr0Aw00Qxs1Axs0Axs4CcriESMTZgp0Qwk0Awk0Awk+N0PF9QPItQPLvAAAQlH
AfAAAQlHAfAAAQlHAdgMEIxM1wwm0gwmoHHQLkXQDCbRDEbUDEbQDEbQDEbQDEbQDEbQDEbQDEbQ
DEb4+Pj48AMBCUcB+Pj4cxQAAACCJysAqxRBJgO/HEEhA8EhBUEmA2MDAAAAAAAAAAAAAAAFAAAA
AwAAAPMqAQAAlwAJAHwAagAAAAAAAAAAAKABAAAAAAAAAAAAAAAAAAAAAAAAAABkAXwBfAKsAqYD
AACrAwAAAAAAAAAAAQB0BQAAAAAAAAAAAAB8AGoAAAAAAAAAAABkA6YCAACrAgAAAAAAAAAAfQN8
A6ADAAAAAAAAAAAAAAAAAAAAAAAAAAB8AWcBrASmAQAAqwEAAAAAAAAAAAEAZAF8AGoEAAAAAAAA
AABkBTwAAABkAFMAIwB0CgAAAAAAAAAAAABqBgAAAAAAAAAAagcAAAAAAAAAACQAcid9BHwAaggA
AAAAAAAAAKAJAAAAAAAAAAAAAAAAAAAAAAAAAAB8BGQGrAemAgAAqwIAAAAAAAAAAAEAWQBkAH0E
fgRkAFMAZAB9BH4EdwF3AHgDWQB3ASkITlRyXgAAANoZaW50ZXJuZXRfZ2F0ZXdheV9hdHRhY2hl
ZHJCAAAAcmIAAAB6FUZhaWxlZCB0byBhdHRhY2ggVlBDLnJGAAAAKQpyKwAAANoXYXR0YWNoX2lu
dGVybmV0X2dhdGV3YXlyCwAAANoEd2FpdHIoAAAAckgAAABySQAAAHJkAAAAcicAAAByTAAAACkF
ci4AAAByZQAAAHI0AAAA2gZ3YWl0ZXJyUgAAAHMFAAAAICAgICByGwAAANoKYXR0YWNoX3ZwY3oY
QW5zaWJsZUVjMklndy5hdHRhY2hfdnBj/wAAAHO8AAAAgADwAgkJRwHYDBDUDBzXDDTSDDS4dNBX
XdBla9AMNNEMbNQMbNAMbPUGABYgoATUIDDQMk3RFU7UFU6IRtgMEo9LikuoRqg4iEvRDDTUDDTQ
DDTgJyuIRIxNmCnRDCTQDCTQDCT43Q8X1A8i1A8u8AABCUcB8AABCUcB8AABCUcB2AwQjEzXDCbS
DCagcdAuRdAMJtEMRtQMRtAMRtAMRtAMRtAMRtAMRtAMRtAMRvj4+PjwAwEJRwH4+PhzGAAAAIJB
E0EXAMEXFEISA8ErHEINA8INBUISA2MDAAAAAAAAAAAAAAAHAAAAAwAAAPNmAgAAlwB8AKAAAAAA
AAAAAAAAAAAAAAAAAAAAAAB8AnwBrAGmAgAAqwIAAAAAAAAAAH0DfAOAB3wAagEAAAAAAAAAAFMA
ZAJ9BHQFAAAAAAAAAAAAAHwDZAMZAAAAAAAAAAAApgEAAKsBAAAAAAAAAABkBGsEAAAAAHIUfANk
AxkAAAAAAAAAAABkBBkAAAAAAAAAAABkBRkAAAAAAAAAAAB9BHwCcih8BHwCawMAAAAAciJ8AGoD
AAAAAAAAAACgBAAAAAAAAAAAAAAAAAAAAAAAAAAAZAZ8ApsAZAd8BJsAZAidBawJpgEAAKsBAAAA
AAAAAAABAHwAagUAAAAAAAAAAHIRZAp8AGoBAAAAAAAAAABkCzwAAAB8AGoBAAAAAAAAAABTAAkA
ZAp8AGoBAAAAAAAAAABkCzwAAAB8BHIcfACgBgAAAAAAAAAAAAAAAAAAAAAAAAAAfANkDBkAAAAA
AAAAAAB8BKYCAACrAgAAAAAAAAAAAQB8AGoHAAAAAAAAAACgCAAAAAAAAAAAAAAAAAAAAAAAAAAA
ZAp8A2QMGQAAAAAAAAAAAKwNpgIAAKsCAAAAAAAAAAABAG5OIwB0EgAAAAAAAAAAAABqCgAAAAAA
AAAAagsAAAAAAAAAAHQSAAAAAAAAAAAAAGoKAAAAAAAAAABqDAAAAAAAAAAAZgIkAHImfQV8AGoD
AAAAAAAAAACgDQAAAAAAAAAAAAAAAAAAAAAAAAAAfAVkDqwJpgIAAKsCAAAAAAAAAAABAFkAZAB9
BX4FbghkAH0FfgV3AXcAeANZAHcBfABqAQAAAAAAAAAAUwApD06pAXJPAAAA2gDaC2F0dGFjaG1l
bnRzcgIAAAByNAAAAHoOU3VwcGxpZWQgVlBDICh6HCkgZG9lcyBub3QgbWF0Y2ggZm91bmQgVlBD
ICh6CyksIGFib3J0aW5nckYAAABUcmIAAAByMwAAACkCcl8AAAByYAAAAHohVW5hYmxlIHRvIGRl
bGV0ZSBJbnRlcm5ldCBHYXRld2F5KQ5yVAAAAHIoAAAAck0AAAByJwAAAHJOAAAAci0AAAByOgAA
AHIrAAAA2hdkZWxldGVfaW50ZXJuZXRfZ2F0ZXdheXJIAAAAckkAAABySgAAAHJLAAAAckwAAAAp
BnIuAAAAcmUAAAByNAAAAHJTAAAA2gppZ3dfdnBjX2lkclIAAABzBgAAACAgICAgIHIbAAAAcj4A
AAB6H0Fuc2libGVFYzJJZ3cuZW5zdXJlX2lnd19hYnNlbnQLAQAAc3wBAACAANgOEtcOI9IOI6BG
sHbQDiPRDj7UDj6IA9gLDog72BMXlD3QDCDgFReICuULDohzkD3UDyHRCyLUCyKgUdILJtALJtgZ
HJhd1BkrqEHUGS6oeNQZOIhK4AsR8AABCXUBkHqgVtIXK9AXK9gMEIxM1wwi0gwi0CdzuAbQJ3PQ
J3PQXGbQJ3PQJ3PQJ3PQDCLRDHTUDHTQDHTgCw/UCxvwAAIJIdgnK4hEjE2YKdEMJNgTF5Q90Awg
8AQICVMB2CcriESMTZgp0Qwk4A8Z8AABDUgB2BAUlw+SD6AD0CQ51CA6uErREEfUEEfQEEfgDBDU
DBzXDDTSDDS4dNBXWtBbcNRXcdAMNNEMctQMctAMctAMcvjdEBjUECPUEC+1GNQxRNQxUtAPU/AA
AQlTAfAAAQlTAfAAAQlTAdgMEIxM1wwm0gwmoHHQLlHQDCbRDFLUDFLQDFLQDFLQDFLQDFLQDFLQ
DFL4+Pj48AMBCVMB+Pj48AYAEBSMfdAIHHMZAAAAwhNBCkMeAMMeJUQpA8QDHEQkA8QkBUQpA2MH
AAAAAAAAAAAAAAAMAAAAAwAAAPMoBwAAlwBkAH0HfAFyGHwAoAAAAAAAAAAAAAAAAAAAAAAAAAAA
AGQAfAGsAaYCAACrAgAAAAAAAAAAfQduF3wCchV8AKAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8AqYB
AACrAQAAAAAAAAAAfQd8B5ABgGV8AGoBAAAAAAAAAAByG2QCfABqAgAAAAAAAAAAZAM8AAAAZAB8
AGoCAAAAAAAAAABkBDwAAAB8AGoCAAAAAAAAAABTAHwCchV8AKADAAAAAAAAAAAAAAAAAAAAAAAA
AAB8AqYBAACrAQAAAAAAAAAAAQAJAGkAfQh8A3IUdAkAAAAAAAAAAAAAfANkBawGpgIAAKsCAAAA
AAAAAAB8CGQHPAAAAAIAfABqBQAAAAAAAAAAagYAAAAAAAAAAGQXZAhkAmkBfAikAY4BfQl0DwAA
AAAAAAAAAAB8AGoFAAAAAAAAAABkCaYCAACrAgAAAAAAAAAAfQp8CqAIAAAAAAAAAAAAAAAAAAAA
AAAAAAB8CWQKGQAAAAAAAAAAAGQLGQAAAAAAAAAAAGcBrAymAQAAqwEAAAAAAAAAAAEAZAJ8AGoC
AAAAAAAAAABkAzwAAAB0EwAAAAAAAAAAAAB8CWQKGQAAAAAAAAAAAKYBAACrAQAAAAAAAAAAfQd8
AnIcfACgCgAAAAAAAAAAAAAAAAAAAAAAAAAAfAdkDRkAAAAAAAAAAAB8AqYCAACrAgAAAAAAAAAA
AQCQAW7zIwB0FgAAAAAAAAAAAABqDAAAAAAAAAAAag0AAAAAAAAAACQAcid9C3wAag4AAAAAAAAA
AKAPAAAAAAAAAAAAAAAAAAAAAAAAAAB8C2QOrA+mAgAAqwIAAAAAAAAAAAEAWQBkAH0LfguQAW69
ZAB9C34LdwF0FgAAAAAAAAAAAABqDAAAAAAAAAAAahAAAAAAAAAAAHQWAAAAAAAAAAAAAGoMAAAA
AAAAAABqEQAAAAAAAAAAZgIkAHInfQt8AGoOAAAAAAAAAACgDwAAAAAAAAAAAAAAAAAAAAAAAAAA
fAtkEKwPpgIAAKsCAAAAAAAAAAABAFkAZAB9C34LkAFuc2QAfQt+C3cBdwB4A1kAdwFkAH0MdCUA
AAAAAAAAAAAAfAdkERkAAAAAAAAAAACmAQAAqwEAAAAAAAAAAGQSawQAAAAAcvV8B2QRGQAAAAAA
AAAAAGQSGQAAAAAAAAAAAGQTGQAAAAAAAAAAAH0MfAZyRXwAagEAAAAAAAAAAHIhZAJ8AGoCAAAA
AAAAAABkAzwAAAB8B2QNGQAAAAAAAAAAAHwAagIAAAAAAAAAAGQEPAAAAHwAagIAAAAAAAAAAFMA
fACgEwAAAAAAAAAAAAAAAAAAAAAAAAAAfAdkDRkAAAAAAAAAAAB8DKYCAACrAgAAAAAAAAAAAQBu
9XwMfAJrAwAAAAByk3wAagEAAAAAAAAAAHIhZAJ8AGoCAAAAAAAAAABkAzwAAAB8B2QNGQAAAAAA
AAAAAHwAagIAAAAAAAAAAGQEPAAAAHwAagIAAAAAAAAAAFMAfAVyTnwAoAMAAAAAAAAAAAAAAAAA
AAAAAAAAAHwCpgEAAKsBAAAAAAAAAAABAHwAoBMAAAAAAAAAAAAAAAAAAAAAAAAAAHwHZA0ZAAAA
AAAAAAAAfAymAgAAqwIAAAAAAAAAAAEAfACgCgAAAAAAAAAAAAAAAAAAAAAAAAAAfAdkDRkAAAAA
AAAAAAB8AqYCAACrAgAAAAAAAAAAAQBud3wAag4AAAAAAAAAAKAUAAAAAAAAAAAAAAAAAAAAAAAA
AABkFKwPpgEAAKsBAAAAAAAAAAABAG5bfAJyWXwAagEAAAAAAAAAAHIhZAJ8AGoCAAAAAAAAAABk
AzwAAAB8B2QNGQAAAAAAAAAAAHwAagIAAAAAAAAAAGQEPAAAAHwAagIAAAAAAAAAAFMAfACgAwAA
AAAAAAAAAAAAAAAAAAAAAAAAfAKmAQAAqwEAAAAAAAAAAAEAfACgCgAAAAAAAAAAAAAAAAAAAAAA
AAAAfAdkDRkAAAAAAAAAAAB8AqYCAACrAgAAAAAAAAAAAQB8AGoCAAAAAAAAAABkA3gCeAIZAAAA
AAAAAAAAdCsAAAAAAAAAAAAAfABqBQAAAAAAAAAAfABqDgAAAAAAAAAAfAdkDRkAAAAAAAAAAABk
BXwDfARkFawWpgcAAKsHAAAAAAAAAAB6FAAAYwNjAjwAAAB8AKAAAAAAAAAAAAAAAAAAAAAAAAAA
AAB8AnwHZA0ZAAAAAAAAAAAArAGmAgAAqwIAAAAAAAAAAH0HfACgFgAAAAAAAAAAAAAAAAAAAAAA
AAAAfAd8AqYCAACrAgAAAAAAAAAAfQ18AGoCAAAAAAAAAACgFwAAAAAAAAAAAAAAAAAAAAAAAAAA
fA2mAQAAqwEAAAAAAAAAAAEAfABqAgAAAAAAAAAAUwApGE5ybQAAAFRyYgAAAHJPAAAAehBpbnRl
cm5ldC1nYXRld2F5KQHaBXR5cGVz2hFUYWdTcGVjaWZpY2F0aW9uc3JfAAAA2hdpbnRlcm5ldF9n
YXRld2F5X2V4aXN0c9oPSW50ZXJuZXRHYXRld2F5cmAAAAByQgAAAHIzAAAAehtObyBJbnRlcm5l
dCBHYXRld2F5IGV4aXN0cy5yRgAAAHohVW5hYmxlIHRvIGNyZWF0ZSBJbnRlcm5ldCBHYXRld2F5
cm8AAAByAgAAAHI0AAAAejdWUEMgYWxyZWFkeSBhdHRhY2hlZCwgYnV0IGRvZXMgbm90IG1hdGNo
IHJlcXVlc3RlZCBWUEMueiFJbnZhbGlkSW50ZXJuZXRHYXRld2F5SUQuTm90Rm91bmQpBNoNcmVz
b3VyY2VfdHlwZXI3AAAAcjgAAADaC3JldHJ5X2NvZGVzchIAAAApGHJUAAAAci0AAAByKAAAAHJa
AAAAcgkAAAByKwAAANoXY3JlYXRlX2ludGVybmV0X2dhdGV3YXlyCwAAAHJpAAAAcgMAAAByawAA
AHJIAAAAckkAAAByZAAAAHInAAAAckwAAABySgAAAHJLAAAAck0AAAByOgAAAHJOAAAAcgQAAABy
XAAAANoGdXBkYXRlKQ5yLgAAAHJlAAAAcjQAAAByNwAAAHI4AAAAcjkAAAByOgAAAHJTAAAA2g1j
cmVhdGVfcGFyYW1z2ghyZXNwb25zZXJqAAAAclIAAABycQAAANoIaWd3X2luZm9zDgAAACAgICAg
ICAgICAgICAgchsAAAByPQAAAHogQW5zaWJsZUVjMklndy5lbnN1cmVfaWd3X3ByZXNlbnQoAQAA
c0QEAACAANgOEogD4AsR8AADCTDYEhbXEifSEieoBLgW0BIn0RJA1BJAiEOIQ9gNE/AAAQkw2BIW
1xIn0hInqAbREi/UEi+IQ+ALDok72A8T1A8f8AADDSXYKy+QBJQNmGnRECjYLjKQBJQNmGzRECvY
FxuUfdAQJOAPFfAAAQ0u2BAU1xAl0hAloGbREC3UEC3QEC3wBBINVwHYICKQDdgTF/AAARFyAd05
UdBSVtBecNA5cdE5cdQ5cZBN0CI10RQ22BtDmDTUGyvUG0PQG2TQG2TIZNAbZNBWY9AbZNAbZJAI
9QYAGiSgRNQkNNA2T9EZUNQZUJAG2BAWlwuSC7AI0DlK1DBL0Exf1DBg0C9hkAvREGLUEGLQEGLY
Ky+QBJQNmGnRECjlFi6oeNA4SdQvStEWS9QWS5AD4BMZ8AABEUgB2BQYl0+ST6BD0Cg91CQ+wAbR
FEfUFEfQFEf5+N0TG9QTJtQTMvAAAQ1RAfAAAQ1RAfAAAQ1RAdgQFJQM1xAq0hAqqDHQMk/QECrR
EFDUEFDQEFDQEFDQEFDQEFDQEFDREFD4+Pj43RQc1BQn1BQztVjUNUjUNVbQE1fwAAENVwHwAAEN
VwHwAAENVwHYEBSUDNcQKtIQKqgx0DJV0BAq0RBW1BBW0BBW0BBW0BBW0BBW0BBW0RBW+Pj4+PAD
AQ1XAfj4+PAGABoeiErlDxKQM5B91BMl0Q8m1A8mqBHSDyrQDyrYHSCgHdQdL7AB1B0ysDjUHTyQ
CuATHfAAFBFuAdgXG9QXJ/AAAxUt2DM3mAScDaBp0Rgw2DY50DpP1DZQmAScDaBs0Rgz2B8jnH3Q
GCzgFBiXT5JPoEPQKD3UJD7ACtEUS9QUS9AUS9AUS+AVH6A20hUp0BUp2Bcb1Bcn8AADFS3YMzeY
BJwNoGnRGDDYNjnQOk/UNlCYBJwNoGzRGDPYHyOcfdAYLOAXI/AABhVuAdgYHNcYLdIYLahm0Rg1
1Bg10Bg14Bgcnw+aD6gD0CxB1ChCwErRGE/UGE/QGE/YGByfD5oPqAPQLEHUKELARtEYS9QYS9AY
S9AYS+AYHJwM1xgu0hgu0DNs0Bgu0Rht1Bht0Bht+OARF/AABw1EAdgTF9QTI/AAAxEp2C8zkESU
TaAp0RQs2DI10DZL1DJMkESUTaAs0RQv2BsfnD3QFCjgEBTXECXSECWgZtEQLdQQLdAQLdgQFJcP
kg+gA9AkOdQgOrhG0RBD1BBD0BBD8AYACQ2MDZBp0Agg0Agg1AggpU/YDBDUDBzYDBCMTNgMD9AQ
JdQMJtgaLNgRFdgXIdgYO/APCCUK8QAIJQr0AAglCvEACAkK0Agg0Agg0Qgg8BYADxPXDiPSDiOg
RrBz0DtQ1DdR0A4j0Q5S1A5SiAPYExfXEyTSEySgU6gm0RMx1BMxiAjYCAyMDdcIHNIIHJhY0Qgm
1Agm0Agm4A8TjH3QCBxzJQAAAMExQiFEFADEFBRGGQPEKBxFCgPFCihGGQPFMhxGFAPGFAVGGQMp
AU4pDdoIX19uYW1lX1/aCl9fbW9kdWxlX1/aDF9fcXVhbG5hbWVfX3IxAAAAcj8AAAByVAAAAHJa
AAAA2gxzdGF0aWNtZXRob2RyXAAAAHI6AAAAcmsAAAByPgAAAHI9AAAAchIAAAByHQAAAHIbAAAA
ciMAAAByIwAAAKYAAABzugAAAIAAgACAAIAAgADwAgQFM/AABAUz8AAEBTPwDAwFQAHwAAwFQAHw
AAwFQAHwHBoFE/AAGgUT8AAaBRPwABoFE/A4FgUT8AAWBRPwABYFE/AwAAYS8AIFBQrwAAUFCvED
AAYShFzwAgUFCvAOBgVHAfAABgVHAfAABgVHAfAQCgVHAfAACgVHAfAACgVHAfAYGwUd8AAbBR3w
ABsFHfA6WQEFHfAAWQEFHfAAWQEFHfAAWQEFHfAAWQEFHXIdAAAAciMAAABjAAAAAAAAAAAAAAAA
DAAAAAMAAADzuAEAAJcAdAEAAAAAAAAAAAAAdAEAAAAAAAAAAAAApgAAAKsAAAAAAAAAAAB0AQAA
AAAAAAAAAACmAAAAqwAAAAAAAAAAAHQBAAAAAAAAAAAAAGQBZAFkAmcCrAOmAgAAqwIAAAAAAAAA
AHQBAAAAAAAAAAAAAGQEZAVkBmcBrAemAwAAqwMAAAAAAAAAAHQBAAAAAAAAAAAAAGQIZAmsCqYC
AACrAgAAAAAAAAAAdAEAAAAAAAAAAAAAZARkCawKpgIAAKsCAAAAAAAAAAB0AQAAAAAAAAAAAABk
BGQJrAqmAgAAqwIAAAAAAAAAAKwLpgcAAKsHAAAAAAAAAAB9AGcAZAyiAX0BZA1nAX0CdAMAAAAA
AAAAAAAAfABkCHwBfAKsDqYEAACrBAAAAAAAAAAAfQN0AQAAAAAAAAAAAABkBKwPpgEAAKsBAAAA
AAAAAAB9BHQFAAAAAAAAAAAAAHwDfASsEKYCAACrAgAAAAAAAAAAfQV8BaADAAAAAAAAAAAAAAAA
AAAAAAAAAACmAAAAqwAAAAAAAAAAAAEAAgB8A2oEAAAAAAAAAABkEWkAfASkAY4BAQBkAFMAKRJO
cjYAAAByOwAAACkC2gdkZWZhdWx02gdjaG9pY2VzRtoEZGljdNoNcmVzb3VyY2VfdGFncykD2ghy
ZXF1aXJlZNoEdHlwZdoHYWxpYXNlc1TaBGJvb2wpAnKDAAAAcogAAAApB3IzAAAAcjQAAAByNQAA
AHI3AAAAcjgAAAByOQAAAHI6AAAAKQMpBHI5AAAAVCkBcjQAAABGKQRyNQAAAHI7AAAAqQJyMwAA
AHI0AAAAVCkEcjoAAABUcosAAABUKQJyOQAAAHI6AAAAKQTaDWFyZ3VtZW50X3NwZWPaE3N1cHBv
cnRzX2NoZWNrX21vZGXaC3JlcXVpcmVkX2lm2hJtdXR1YWxseV9leGNsdXNpdmUpAXJiAAAAKQJy
LwAAAHIwAAAAchIAAAApBXKFAAAAcgUAAAByIwAAAHI/AAAA2glleGl0X2pzb24pBnKMAAAAco4A
AAByjwAAAHIvAAAAcjAAAADaC2lnd19tYW5hZ2VycwYAAAAgICAgICByGwAAANoEbWFpbnKSAAAA
hAEAAHMPAQAAgADdFBjdHCCZRpxG3Q8TiXaMdt0OEpg5qHm4KNAuQ9AORNEORNQORN0NEZg1oHa4
D9A3SNANSdENSdQNSd0TF6AEqDbQEzLREzLUEzLdFRmgJahm0BU10RU11BU13RMXoAWoRtATM9ET
M9QTM/APCBUG8QAIFQb0AAgVBoBN8BQEEwbwAAQTBvAABBMGgEvwDAAbOdAZOdAEFuUNHdgWI9gc
INgUH9gbLfAJBQ4G8QAFDgb0AAUOBoBG9Q4ADxOYNdAOIdEOIdQOIYBH3RIfoHawd9ASP9ESP9QS
P4BL2AQP1wQX0gQX0QQZ1AQZ0AQZ4AQUgEbUBBTQBB/QBB+Qd9AEH9AEH9AEH9AEH9AEH3IdAAAA
2ghfX21haW5fXyka2g1ET0NVTUVOVEFUSU9O2ghFWEFNUExFU9oGUkVUVVJOckgAAADaC0ltcG9y
dEVycm9y2jBhbnNpYmxlLm1vZHVsZV91dGlscy5jb21tb24uZGljdF90cmFuc2Zvcm1hdGlvbnNy
AwAAANo3YW5zaWJsZV9jb2xsZWN0aW9ucy5hbWF6b24uYXdzLnBsdWdpbnMubW9kdWxlX3V0aWxz
LmVjMnIEAAAA2jthbnNpYmxlX2NvbGxlY3Rpb25zLmFtYXpvbi5hd3MucGx1Z2lucy5tb2R1bGVf
dXRpbHMubW9kdWxlc3IFAAAA2jthbnNpYmxlX2NvbGxlY3Rpb25zLmFtYXpvbi5hd3MucGx1Z2lu
cy5tb2R1bGVfdXRpbHMucmV0cmllc3IGAAAA2jthbnNpYmxlX2NvbGxlY3Rpb25zLmFtYXpvbi5h
d3MucGx1Z2lucy5tb2R1bGVfdXRpbHMudGFnZ2luZ3IIAAAAcgkAAADaQmFuc2libGVfY29sbGVj
dGlvbnMuYW1hem9uLmF3cy5wbHVnaW5zLm1vZHVsZV91dGlscy50cmFuc2Zvcm1hdGlvbnIKAAAA
2jthbnNpYmxlX2NvbGxlY3Rpb25zLmFtYXpvbi5hd3MucGx1Z2lucy5tb2R1bGVfdXRpbHMud2Fp
dGVyc3ILAAAAcioAAAByHAAAAHIhAAAAciMAAABykgAAAHJ+AAAAchIAAAByHQAAAHIbAAAA+gg8
bW9kdWxlPnKfAAAAAQAAAHOHAQAA8AMBAQHwDjERBIAN8GYBMwwEgAjwagEaCgSABvA4AwEJ2AQT
gE+AT4BPgE/42AcS8AABAQnwAAEBCfAAAQEJ2AQIgETwAwEBCfj4+PAGAAFWAdAAVdAAVdAAVdAA
VdAAVeAAU9AAU9AAU9AAU9AAU9AAU9gAWNAAWNAAWNAAWNAAWNAAWNgAUNAAUNAAUNAAUNAAUNAA
UNgAZtAAZtAAZtAAZtAAZtAAZtgAYNAAYNAAYNAAYNAAYNAAYNgAcNAAcNAAcNAAcNAAcNAAcNgA
UtAAUtAAUtAAUtAAUtAAUvAGAAIbgBjUARqgMqhS0AEw0QEw1AEw8AICAVAB8AACAVAB8QMAAjHU
ATDwAgIBUAHwCgIBRAHwAAIBRAHwAAIBRAHwClsDAR3wAFsDAR3wAFsDAR3wAFsDAR3wAFsDAR3x
AFsDAR30AFsDAR3wAFsDAR3wfAYeASDwAB4BIPAAHgEg8EIBAAQMiHrSAxnQAxnYBAiARIFGhEaA
RoBGgEbwAwAEGtADGXMMAAAAiAQNAI0FFQOUARUD
"""

re_memory_address = re.compile(r" at 0x\w+(?=, )")


def hexlify(val):
    return "0x{}".format(binascii.hexlify(val).decode("utf-8"))


def parse_pyc(f):
    f.seek(0, io.SEEK_END)
    if f.tell() == 0:
        yield "type:     empty"
        return

    f.seek(0)
    magic = f.read(4)
    yield "magic:    {}".format(hexlify(magic))

    f.seek(4, 1)
    moddate = f.read(4)
    modtime = time.asctime(time.gmtime(struct.unpack("<L", moddate)[0]))
    yield "moddate:  {} ({} UTC)".format(hexlify(moddate), modtime)

    filesz = f.read(4)
    filesz = struct.unpack("<L", filesz)
    yield f"files sz: {filesz[0]}"

    code = marshal.load(f)
    yield from show_code(code)


def show_code(code, indent=""):
    yield f"{indent}code"

    indent += "   "

    for x in ("argcount", "nlocals", "stacksize", "flags"):
        yield "{}{: <10}: {!r}".format(indent, x, getattr(code, f"co_{x}"))

    yield from show_hex("code", code.co_code, indent=indent)
    s = io.StringIO()
    dis.disassemble(code, file=s)
    for x in s.getvalue().splitlines():
        yield "{}{}".format(indent, re_memory_address.sub("", x))

    yield f"{indent}consts"
    for const in code.co_consts:
        if isinstance(const, types.CodeType):
            yield from show_code(const, f"{indent}   ")
        else:
            yield f"   {indent}{const!r}"

    for x in (
            "names",
            "varnames",
            "freevars",
            "cellvars",
            "filename",
            "name",
            "firstlineno",
    ):
        yield "{}{: <10} {!r}".format(indent, x, getattr(code, f"co_{x}"))

    yield from show_hex("lnotab", code.co_lnotab, indent=indent)


def show_hex(label, val, indent):
    val = hexlify(val)

    if len(val) < 60:
        yield f"{indent}{label} {val}"
        return

    yield f"{indent}{label}"
    for i in range(0, len(val), 60):
        yield "{}   {}".format(indent, val[i:i + 60])


decoded_string = base64.b64decode(input_pyc)
len(list(parse_pyc(io.BytesIO(decoded_string))))

@vstinner
Copy link
Member

The following snippet (with a.pyc) seems to crash the python interpreter for me (on exit)

Well, that's a feature: Python doesn't check bytecode for best performance.

If an attacker can inject PYC files, there is no need to generate invalid PYC. Just inject valid code which takes the control of the machine: you can already execute arbitrary code. An attacker is not supposed to be able to inject code, that's an issue in the application.

I close the issue.

cc @SethMichaelLarson

@obfusk
Copy link
Contributor

obfusk commented May 20, 2024

So you're saying merely using dis.disassemble() on a pyc file enables arbitrary code execution? Because I don't see any warning about that in the documentation.

@obfusk
Copy link
Contributor

obfusk commented May 20, 2024

Ah. Right. There is one: "Never unmarshal data received from an untrusted or unauthenticated source."

@thesamesam
Copy link
Contributor

thesamesam commented May 21, 2024
edited

Didn't the pyc in this case come from two real Arch packages, where diffoscope crashed on diffing the two? If so, it'd then be worthy of investigation as to how that was generated. Or did diffoscope mangle the .pyc files making them invalid?

cc @lamby

Am I missing something here?

EDIT: Ah, I see the (non-)guarantee mentioned at https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371#note_493138, i.e. diffing between versions isn't expected to work.

@vstinner
Copy link
Member

I'm not sure that I understood correctly. Calling dis.dis() on the PYC file is enough to crash Python? That's surprising, it's a bug worth to debug. First, I understood that the PYC code was executed.

@obfusk
Copy link
Contributor

obfusk commented May 23, 2024

I'm not sure that I understood correctly. Calling dis.dis() on the PYC file is enough to crash Python? That's surprising, it's a bug worth to debug. First, I understood that the PYC code was executed.

The PYC code isn't meant to be executed, just parsed and formatted to be able to compare two PYC files by representing them as text (similar to using objdump etc.). Whether the way this is done here causes it to be executed unintentionally -- as the warning from marshal seems to suggest may be the issue here -- is a question we'd love to get an answer to.

It turns out it wasn't the dis.disassemble() call. And merely unmarshalling the PYC doesn't cause the crash. So I assume some of the code above in show_code() that's formatting various co_* attributes of the unmarshalled code is somehow causing the crash.

@vstinner
Copy link
Member

At the end, you think that the bug is that deserializing arbitrary data with marshal is unsafe? The documentation starts with a big red warning about that:
https://docs.python.org/dev/library/marshal.html

Warning: The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source."

@obfusk
Copy link
Contributor

obfusk commented May 23, 2024
edited

At the end, you think that the bug is that deserializing arbitrary data with marshal is unsafe?

I quoted that very same warning and pointed out that whatever is causing the crash diffoscope should never have been using marshal.load() here given the security implications; I was unfamiliar with this code before this bug was filed and only realised it was using marshal.load() when looking into this after you mentioned the bytecode being executed.

That said, the PYC file in question -- ec2_vpc_igw.cpython-311.opt-1.pyc aka a.pyc -- that is causing the crash is not "erroneous or maliciously constructed data" and does not come from an "untrusted or unauthenticated source": it comes from the arch linux ansible package.

It is however Python 3.11 bytecode being unmarshalled and then processed on Python 3.12 by the above code and crashing the interpreter. I completely understand if that is not supported. What I don't know is what exactly is being executed here and whether this should be causing a crash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vstinner @obfusk @sobolevn @thesamesam @christian-heusel