The BUFFER_NEW(dtype) macro expands to dtype *B = malloc(LENGTH * sizeof(dtype)); with no NULL check. B is immediately used in the sorting algorithm inside a BN_BEGIN_ALLOW_THREADS block (GIL released), so a NULL dereference cannot even set a Python exception — it's a bare segfault. Four instances (one per dtype in argpartition).
File(s): nonreduce_axis_template.c (BUFFER_NEW definition), used at generated lines 266, 295, 324, 353 in nonreduce_axis.c
See #518 for the complete report.
Found using cext-review-toolkit.
The
BUFFER_NEW(dtype)macro expands todtype *B = malloc(LENGTH * sizeof(dtype));with no NULL check.Bis immediately used in the sorting algorithm inside aBN_BEGIN_ALLOW_THREADSblock (GIL released), so a NULL dereference cannot even set a Python exception — it's a bare segfault. Four instances (one per dtype inargpartition).File(s):
nonreduce_axis_template.c(BUFFER_NEW definition), used at generated lines 266, 295, 324, 353 innonreduce_axis.cSee #518 for the complete report.
Found using cext-review-toolkit.