Skip to content

Unsafe pointer dereference from unchecked Python integer in Tk initialization#9548

Open
barttran2k wants to merge 1 commit intopython-pillow:mainfrom
barttran2k:contribai/fix/security/unsafe-pointer-dereference-from-unchecke
Open

Unsafe pointer dereference from unchecked Python integer in Tk initialization#9548
barttran2k wants to merge 1 commit intopython-pillow:mainfrom
barttran2k:contribai/fix/security/unsafe-pointer-dereference-from-unchecke

Conversation

@barttran2k
Copy link
Copy Markdown

@barttran2k barttran2k commented Apr 7, 2026

Problem

In _tkinit, PyLong_AsVoidPtr(arg) converts an arbitrary Python object to a void* pointer which is then cast to Tcl_Interp* and passed to TkImaging_Init. If PyLong_AsVoidPtr fails (returns NULL and sets an error), or if the caller passes an arbitrary integer value, the code proceeds to dereference it without any validation, potentially leading to a crash or arbitrary memory access.

Severity: medium
File: src/_imagingtk.c

Solution

Check the return value of PyLong_AsVoidPtr for errors (NULL with exception set) before passing interp to TkImaging_Init. Add: if (interp == NULL && PyErr_Occurred()) { return NULL; }

Changes

  • src/_imagingtk.c (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@barttran2k
fix(security)(_imagingtk.c): unsafe pointer dereference from unchecke…
117de2b 
…d python i

In `_tkinit`, `PyLong_AsVoidPtr(arg)` converts an arbitrary Python object to a `void*` pointer which is then cast to `Tcl_Interp*` and passed to `TkImaging_Init`. If `PyLong_AsVoidPtr` fails (returns NULL and sets an error), or if the caller passes an arbitrary integer value, the code proceeds to dereference it without any validation, potentially leading to a crash or arbitrary memory access.

Affected files: _imagingtk.c

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
@aclark4life aclark4life added the 🤖-assisted AI-assisted label Apr 7, 2026
@radarhere
Copy link
Copy Markdown
Member

radarhere commented Apr 7, 2026

As a general note, our README does ask that you e-mail security problems to us privately.

https://github.com/python-pillow/pillow#report-a-vulnerability

Report a vulnerability
To report a security vulnerability, please follow the procedure described in the Tidelift security policy.

@aclark4life aclark4life changed the title Security: Unsafe pointer dereference from unchecked Python integer in Tk initialization Unsafe pointer dereference from unchecked Python integer in Tk initialization Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@radarhere radarhere radarhere approved these changes

Assignees

No one assigned

Labels

🤖-assisted AI-assisted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@barttran2k @radarhere @aclark4life