gh-143375: Fix a crash in BufferedWriter.seek when passing an object with a specially crafted __index__

[tomasr8]

Adds a check after the call to PyNumber_AsOff_t which could have closed the file as a side-effect.

• Issue: Null pointer dereference in BufferedWriter.seek during re-entrant close #143375

[serhiy-storchaka]

Is it only BufferedWriter or other buffered streams?

[tomasr8]

It's also BufferedReader and BufferedRandom since they share the same implementation. I updated the news entry and added tests!

[serhiy-storchaka]

I do not think this comment is needed. It is trivial if we do all right, and we do not what to add such comments for each second line.

Remove CHECK_CLOSED above, it is redundant. Also, I think it is better to move PyNumber_AsOff_t immediately after the whence check.

[serhiy-storchaka]

Oh, and CHECK_INITIALIZED also should be after PyNumber_AsOff_t. Add a test for concurrent detach().

[tomasr8]

I do not think this comment is needed.

Removed

Remove CHECK_CLOSED above, it is redundant.

Also removed

Also, I think it is better to move PyNumber_AsOff_t immediately after the whence check.

Done

Add a test for concurrent detach().

Added!

[serhiy-storchaka]

No, a specially crafted __index__() is not a cause, it is only a mean of reproducing the issue. The root issue is that the buffered stream can be closed (or detached?) concurrently with seek(). This can happen in other thread (or in the garbage collector), when the GIL is released in not so special custom __index__().

[tomasr8]

True, I updated the news entry with the root cause. Let me know if it's ok!

[serhiy-storchaka]

And I think TextIOWrapper has the same issue. See #143007.