Memory leak bugs when a new reference is only passed to a non-stealing API (static analyzer reports)

[Snape3058]

• API PyDict_SetItemString does not steal a reference from the third argument.
• API PyDict_SetItem does not steal a reference from the last argument.
• API PyList_Append does not steal a reference from the second argument.
• API PyDict_SetItem does not steal a reference from the third argument if the return value is not zero.

If a new reference is passed to the function without decreasing its refcnt then, it will lead to a memory leak.

---

Pattern 1: APIs returning a new reference are called directly as the third argument.

• Internal Report ID: 1b7403
  

  Pillow/src/_imaging.c

  Line 3773 in 68e39cb

  PyDict_SetItemString(d, "new_count", PyLong_FromLong(arena->stats_new_count));

• Internal Report ID: 6fa78e
  

  Pillow/src/_imaging.c

  Line 3775 in 68e39cb

  d, "allocated_blocks", PyLong_FromLong(arena->stats_allocated_blocks));

• Internal Report ID: b43c87
  

  Pillow/src/_imaging.c

  Line 3777 in 68e39cb

  d, "reused_blocks", PyLong_FromLong(arena->stats_reused_blocks));

• Internal Report ID: 1640ab
  

  Pillow/src/_imaging.c

  Line 3779 in 68e39cb

  d, "reallocated_blocks", PyLong_FromLong(arena->stats_reallocated_blocks));

• Internal Report ID: 78d881
  

  Pillow/src/_imaging.c

  Line 3780 in 68e39cb

  PyDict_SetItemString(d, "freed_blocks", PyLong_FromLong(arena->stats_freed_blocks));

• Internal Report ID: 6acded
  

  Pillow/src/_imaging.c

  Line 3781 in 68e39cb

  PyDict_SetItemString(d, "blocks_cached", PyLong_FromLong(arena->blocks_cached));

• Internal Report ID: 15cbc4
  

  Pillow/src/_imaging.c

  Line 4154 in 68e39cb

  d, "jpeglib_version", PyUnicode_FromString(ImagingJpegVersion()));

• Internal Report ID: a78d30
  

  Pillow/src/_imaging.c

  Line 4162 in 68e39cb

  d, "jp2klib_version", PyUnicode_FromString(ImagingJpeg2KVersion()));

• Internal Report ID: 446850
  

  Pillow/src/_imaging.c

  Line 4172 in 68e39cb

  d, "libjpeg_turbo_version", PyUnicode_FromString(tostr(LIBJPEG_TURBO_VERSION)));

• Internal Report ID: 3c8041
  

  Pillow/src/_imaging.c

  Line 4187 in 68e39cb

  d, "imagequant_version", PyUnicode_FromString(ImagingImageQuantVersion()));

• Internal Report ID: 1abe89
  

  Pillow/src/_imaging.c

  Line 4205 in 68e39cb

  d, "zlib_version", PyUnicode_FromString(ImagingZipVersion()));

• Internal Report ID: b9e74a
  

  Pillow/src/_imaging.c

  Line 4213 in 68e39cb

  d, "libtiff_version", PyUnicode_FromString(ImagingTiffVersion()));

• Internal Report ID: be23b5
  

  Pillow/src/_imaging.c

  Line 4236 in 68e39cb

  PyDict_SetItemString(d, "PILLOW_VERSION", PyUnicode_FromString(version));

• Internal Report ID: 611fdf
  

  Pillow/src/_imagingft.c

  Line 1120 in 68e39cb

  list_axis, "minimum", PyLong_FromLong(axis.minimum / 65536));

• Internal Report ID: 7c0d23
  

  Pillow/src/_imagingft.c

  Line 1121 in 68e39cb

  PyDict_SetItemString(list_axis, "default", PyLong_FromLong(axis.def / 65536));

• Internal Report ID: b84747
  

  Pillow/src/_imagingft.c

  Line 1123 in 68e39cb

  list_axis, "maximum", PyLong_FromLong(axis.maximum / 65536));

• Internal Report ID: 3c802a
  

  Pillow/src/_imagingmorph.c

  Line 243 in 68e39cb

  PyDict_SetItemString(d, "__version", PyUnicode_FromString("0.1"));

• Internal Report ID: 71bbbc
  

  Pillow/src/_webp.c

  Line 960 in 68e39cb

  d, "webpdecoder_version", PyUnicode_FromString(WebPDecoderVersion_str()));

• Internal Report ID: 213466
  

  Pillow/src/_webp.c

  Line 949 in 68e39cb

  m, "HAVE_TRANSPARENCY", PyBool_FromLong(!WebPDecoderBuggyAlpha()));

Pattern 2: Intermediate variables are used to forward the argument.

• Internal Report ID: e4a37b

New reference is returned here:

Pillow/src/_imagingcms.c

Line 1531 in 68e39cb

v = PyUnicode_FromFormat("%d.%d.%d", vn / 1000, (vn / 10) % 100, vn % 10);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingcms.c

Line 1535 in 68e39cb

PyDict_SetItemString(d, "littlecms_version", v);

---

• Internal Report ID: dc5fd5

New reference is returned here:

Pillow/src/_imagingcms.c

Line 1533 in 68e39cb

v = PyUnicode_FromFormat("%d.%d", vn / 1000, (vn / 10) % 100);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingcms.c

Line 1535 in 68e39cb

PyDict_SetItemString(d, "littlecms_version", v);

---

• Internal Report ID: 1e988b

New reference is returned here:

Pillow/src/_imagingcms.c

Line 936 in 68e39cb

id = PyLong_FromLong((long)intent);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingcms.c

Line 952 in 68e39cb

PyDict_SetItem(result, id, entry);

---

• Internal Report ID: 0ef1f7

New reference is returned here:

Pillow/src/_imagingcms.c

Line 937 in 68e39cb

entry = Py_BuildValue(

PyObject is passed to non-stealing API here:

Pillow/src/_imagingcms.c

Line 952 in 68e39cb

PyDict_SetItem(result, id, entry);

---

• Internal Report ID: fce490

New reference is returned here:

Pillow/src/_imagingft.c

Line 1132 in 68e39cb

axis_name = Py_BuildValue("y#", name.string, name.string_len);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingft.c

Line 1133 in 68e39cb

PyDict_SetItemString(list_axis, "name", axis_name);

---

• Internal Report ID: d17f14

New reference is returned here:

Pillow/src/_imagingft.c

Line 1347 in 68e39cb

v = PyUnicode_FromFormat("%d.%d.%d", major, minor, patch);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingft.c

Line 1348 in 68e39cb

PyDict_SetItemString(d, "freetype2_version", v);

---

• Internal Report ID: 21a68f

New reference is returned here:

Pillow/src/_imagingft.c

Line 1368 in 68e39cb

v = PyUnicode_FromString(raqm_version_string());

PyObject is passed to non-stealing API here:

Pillow/src/_imagingft.c

Line 1372 in 68e39cb

PyDict_SetItemString(d, "raqm_version", v);

---

• Internal Report ID: e80f52

New reference is returned here:

Pillow/src/_imagingft.c

Line 1362 in 68e39cb

v = PyBool_FromLong(have_raqm);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingft.c

Line 1363 in 68e39cb

PyDict_SetItemString(d, "HAVE_RAQM", v);

Pillow/src/_imagingft.c

Line 1364 in 68e39cb

PyDict_SetItemString(d, "HAVE_FRIBIDI", v);

Pillow/src/_imagingft.c

Line 1365 in 68e39cb

PyDict_SetItemString(d, "HAVE_HARFBUZZ", v);

---

• Internal Report ID: 29a870

New reference is returned here:

Pillow/src/_imagingmorph.c

Line 195 in 68e39cb

PyObject *coordObj = Py_BuildValue("(nn)", col_idx, row_idx);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingmorph.c

Line 196 in 68e39cb

PyList_Append(ret, coordObj);

---

• Internal Report ID: fddf55

New reference is returned here:

Pillow/src/_imagingmorph.c

Line 231 in 68e39cb

PyObject *coordObj = Py_BuildValue("(nn)", col_idx, row_idx);

PyObject is passed to non-stealing API here:

Pillow/src/_imagingmorph.c

Line 232 in 68e39cb

PyList_Append(ret, coordObj);

[radarhere]

Would you be able to collect any more of these into a single issue?

[Snape3058]

These are all the cases reported by my static analyzer. To find all of them, I suggest filtering and verifying the entire project for these four APIs.

[radarhere]

Would you mind providing some detail on how you ran the static analyzer? What tool did you use specifically?

[Snape3058]

It is an experimental analyzer of my unpublished research, which is developed on the top of the clang static analyzer.

[radarhere]

I've created PR #7003 to resolve this.

API PyDict_SetItem does not steal a reference from the third argument if the return value is not zero.

To clarify, there's a copy paste error here. The text says "PyDict_SetItem", but the link is to "PyModule_AddObject". This statement applies to "PyModule_AddObject".