← index #17846Issue #15571
Related · high · value 0.902
QUERY · ISSUE

framebuf: crash with incorrect usage (native subclassing?)

openby jepleropened 2025-08-06updated 2025-08-06
bug

Port, board and/or hardware

unix port, coverage build, x86_64 linux

MicroPython version

MicroPython v1.26.0-preview.524.g255d74b5a8 on 2025-08-06; linux [GCC 12.2.0] version

Reproduction

Run the following Python code:

import framebuf
class FB(framebuffer.FrameBuffer): pass
FB.pixel(0,0,0)

Expected behaviour

A TypeError or other appropriate error is raised

Observed behaviour

A segmentation fault.

MicroPython v1.26.0-preview.524.g255d74b5a8 on 2025-08-06; linux [GCC 12.2.0] version
Use Ctrl-D to exit, Ctrl-E for paste mode
>>> import framebuf
>>> class FB(framebuf.FrameBuffer): pass
... 
>>> FB.pixel(0,0,0)

Program received signal SIGSEGV, Segmentation fault.
0x0000555555634845 in framebuf_pixel (n_args=3, args_in=0x7fffffffda30)
    at ../../extmod/modframebuf.c:376
376	    if (0 <= x && x < self->width && 0 <= y && y < self->height) {
(gdb) where
#0  0x0000555555634845 in framebuf_pixel (n_args=3, args_in=0x7fffffffda30)
    at ../../extmod/modframebuf.c:376
#1  0x00005555555fdf8d in fun_builtin_var_call (
    self_in=0x555555711250 <framebuf_pixel_obj>, n_args=3, n_kw=0, args=0x7fffffffda30)
    at ../../py/objfun.c:123

Additional Information

This was found by fuzzing.

Incidentally, when there is NOT a subclass involved, the error is detected:

>>> framebuf.FrameBuffer.pixel(0,0,0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: argument should be a 'FrameBuffer' not a 'int'

Code of Conduct

Yes, I agree

CANDIDATE · ISSUE

frambuf initalizes with ValueError

openby hoihuopened 2024-07-30updated 2026-03-24
bugextmod

Port, board and/or hardware

all variants that use the framebuf module

MicroPython version

MicroPython v1.24.0-preview.149.g6007f3e20 on 2024-07-26; Raspberry Pi Pico W with RP2040

Reproduction

I'm using a simple frambuffer with one bit per pixel. This code segment used to work on earlier micropython versions but fails now:

import framebuf
w=21; h=8
data = bytearray(w*h // 8)
fb = framebuf.FrameBuffer(data, w, h, framebuf.MONO_HMSB)

Expected behaviour

Expected to accept the input buffer without a ValueError

Observed behaviour

this causes a

 File "<stdin>", line 1, in <module>
ValueError:

ValueError is raised with no further details

Additional Information

I tracked this due to this input validation here:

https://github.com/micropython/micropython/blob/master/extmod/modframebuf.c#L318

and I think that's due to
https://github.com/micropython/micropython/blob/master/extmod/modframebuf.c#L294

which modifies the stride value to be 24 ((21 + 7) & ~7 == 24) and therefore the provided input buffer is too small. Modifying the example above with a input buffer of 24 then works as expected.

I'm not sure why this check was introduced. Maybe due to other functionalities in the framebuffer. But in any case it's now difficult to provide a matching input buffer size without the knowledge of what is checked inside the module.

This could be addressed via a doc update. Or raise a ValueError that indicates what went wrong (e.g. "expected buffer length of xxx, got yyy")

Code of Conduct

Yes, I agree

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied