Skip to content

_zoneinfo: heap buffer overflow reads from malformed TZif data #145883

New issue
New issue
Open
Open
_zoneinfo: heap buffer overflow reads from malformed TZif data#145883
Assignees
StanFromIreland
Labels
extension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump
@StanFromIreland

Description

@StanFromIreland
StanFromIreland
opened on Mar 12, 2026

Crash report

What happened?

Turns out the first issue was found independently in December 2025 and March 2026 by security researchers, but it isn't considered a security issue. Our OSS Fuzz fuzzer later found a second issue, #492245058.

(See the PR for testcases.)

>>> import _zoneinfo
>>> with open("tzif_invalid_trans_idx", "rb") as f:
...     _zoneinfo.ZoneInfo.from_file(f)
...     
python: ./Modules/_zoneinfo.c:1152: load_data: Assertion `ttinfo_idx < self->num_ttinfos' failed.
Aborted                    (core dumped) /home/stan/dev/cpython/python
>>> import _zoneinfo
>>> with open("tzif_invalid_lookahead", "rb") as f:
...     _zoneinfo.ZoneInfo.from_file(f)
...     
Segmentation fault         (core dumped) /home/stan/dev/cpython/python

I have a patch that fixes both at hand.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

Labels

extension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

Date and time issues 🕰️

Status

No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions