From 117de2b181d94d2272d9b6f0a61083925e6fac6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 09:41:12 +0700
Subject: [PATCH] fix(security)(_imagingtk.c): unsafe pointer dereference from
 unchecked python i
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In `_tkinit`, `PyLong_AsVoidPtr(arg)` converts an arbitrary Python object to a `void*` pointer which is then cast to `Tcl_Interp*` and passed to `TkImaging_Init`. If `PyLong_AsVoidPtr` fails (returns NULL and sets an error), or if the caller passes an arbitrary integer value, the code proceeds to dereference it without any validation, potentially leading to a crash or arbitrary memory access.

Affected files: _imagingtk.c

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 src/_imagingtk.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/_imagingtk.c b/src/_imagingtk.c
index 68d7bf4cd11..7b9607cb5e2 100644
--- a/src/_imagingtk.c
+++ b/src/_imagingtk.c
@@ -33,8 +33,10 @@ _tkinit(PyObject *self, PyObject *args) {
     }
 
     interp = (Tcl_Interp *)PyLong_AsVoidPtr(arg);
+    if (interp == NULL && PyErr_Occurred()) {
+        return NULL;
+    }
 
-    /* This will bomb if interp is invalid... */
     TkImaging_Init(interp);
 
     Py_RETURN_NONE;