Out-of-bounds tuple access in `BaseExceptionGroup_repr`

[devdanzin]

Crash report

What happened?

It's possible to segfault the interpreter by trying to call repr() on an ExceptionGroup which has had its args set to an empty tuple.

Automated diagnosis:

Bug: At line 1094 of exceptions.c, PyTuple_GET_ITEM(self->args, 1) accesses index 1 of self->args without checking the tuple size. Since args is writable from Python, setting it to an empty tuple causes an OOB read → segfault.

File: Objects/exceptions.c, line 1094

Full report

MRE:

eg = ExceptionGroup("msg", [ValueError()])
eg.args = ()
repr(eg)

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
BaseExceptionGroup_repr (op=0x7ffff759b260) at Objects/exceptions.c:1094
1094            if (PyList_Check(PyTuple_GET_ITEM(self->args, 1))) {
(gdb) bt
#0  BaseExceptionGroup_repr (op=0x7ffff759b260) at Objects/exceptions.c:1094
#1  0x0000555555728177 in PyObject_Repr (v=0x7ffff759b260) at Objects/object.c:782
#2  0x00005555557206b5 in cfunction_vectorcall_O (func=func@entry=0x7ffff75bf830, args=args@entry=0x7fffffffb608, nargsf=nargsf@entry=9223372036854775809, kwnames=kwnames@entry=0x0)
    at Objects/methodobject.c:536
#3  0x00005555556a2ebe in _PyObject_VectorcallTstate (tstate=0x555555d99c08 <_PyRuntime+360664>, callable=0x7ffff75bf830, args=0x7fffffffb608, nargsf=9223372036854775809, kwnames=0x0)
    at ./Include/internal/pycore_call.h:144
#4  0x000055555583f859 in _Py_VectorCallInstrumentation_StackRefSteal (callable=..., arguments=0x7ffff7fa7080, total_args=total_args@entry=1, kwnames=kwnames@entry=...,
    call_instrumentation=false, frame=frame@entry=0x7ffff7fa7020, this_instr=0x7ffff749814a, tstate=0x555555d99c08 <_PyRuntime+360664>) at Python/ceval.c:775
#5  0x000055555584a8e4 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555d99c08 <_PyRuntime+360664>, frame=<optimized out>, frame@entry=0x7ffff7fa7020, throwflag=throwflag@entry=0)
    at Python/generated_cases.c.h:1838
#6  0x000055555583f08b in _PyEval_EvalFrame (tstate=0x555555d99c08 <_PyRuntime+360664>, frame=0x7ffff7fa7020, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#7  _PyEval_Vector (tstate=tstate@entry=0x555555d99c08 <_PyRuntime+360664>, func=func@entry=0x7ffff7466690, locals=locals@entry=0x7ffff746a4b0, args=args@entry=0x0,
    argcount=argcount@entry=0, kwnames=kwnames@entry=0x0) at Python/ceval.c:2130
#8  0x000055555583ee1e in PyEval_EvalCode (co=co@entry=0x7ffff7498040, globals=globals@entry=0x7ffff746a4b0, locals=locals@entry=0x7ffff746a4b0) at Python/ceval.c:686
#9  0x00005555559c8f8e in run_eval_code_obj (tstate=0x555555d99c08 <_PyRuntime+360664>, co=co@entry=0x7ffff7498040, globals=globals@entry=0x7ffff746a4b0, locals=locals@entry=0x7ffff746a4b0)
    at Python/pythonrun.c:1368
#10 0x00005555559c8adb in run_mod (mod=mod@entry=0x555555f3d7d8, filename=filename@entry=0x7ffff74b2e40, globals=globals@entry=0x7ffff746a4b0, locals=locals@entry=0x7ffff746a4b0,
    flags=0x7fffffffc940, arena=arena@entry=0x7ffff74dad40, interactive_src=0x0, generate_new_source=0) at Python/pythonrun.c:1471

Found using cpython-review-toolkit with Claude Opus 4.6, using the /cpython-review-toolkit:explore Objects/exceptions.c all deep command.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.15.0a7+ (heads/main:e0f7c1097e1, Mar 17 2026, 18:10:52) [Clang 21.1.2 (2ubuntu6)]

Linked PRs

• GH-146096: Fix base exception group repr #146141

[picnixz]

Is it a recent regression? because we did make a recent change here with tupleization etc.

[Locked-chess-official]

The right way is to visit BaseExceptionGroupObject->excs

Here:
https://github.com/python/cpython/blob/main/Objects/exceptions.c#L1094-L1105

Maybe BaseExceptionGroup shouldn't check the args because the original values in PyBaseExceptionGroupObject is different from the args, which is different fron the other exception types.

[sergey-miryanov]

I will take a look tonight.

[sergey-miryanov]

Bisected to ff2577f