fix(security)(_imagingtk.c): unsafe pointer dereference from unchecked python i

In `_tkinit`, `PyLong_AsVoidPtr(arg)` converts an arbitrary Python object to a `void*` pointer which is then cast to `Tcl_Interp*` and passed to `TkImaging_Init`. If `PyLong_AsVoidPtr` fails (returns NULL and sets an error), or if the caller passes an arbitrary integer value, the code proceeds to dereference it without any validation, potentially leading to a crash or arbitrary memory access. Affected files: _imagingtk.c Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
2026-04-07 09:41:12 +07:00 · 2026-04-07 09:41:12 +07:00 · 117de2b181
commit 117de2b181
parent c722aaec53
1 changed files with 3 additions and 1 deletions
--- a/src/_imagingtk.c
+++ b/src/_imagingtk.c
@ -33,8 +33,10 @@ _tkinit(PyObject *self, PyObject *args) {
    }

    interp = (Tcl_Interp *)PyLong_AsVoidPtr(arg);
+    if (interp == NULL && PyErr_Occurred()) {
+        return NULL;
+    }

-    /* This will bomb if interp is invalid... */
    TkImaging_Init(interp);

    Py_RETURN_NONE;