fix(nif): refuse buffer grow while a memoryview pins it

py_buffer_write relocated and freed buf->data on growth even when a
Python memoryview (PyBuffer_getbuffer) held a raw pointer into it,
dangling the view (use-after-free, whole-node crash). Refuse to grow
while view_count > 0; the write returns an error instead.

Adds py_buffer_SUITE:buffer_grow_pinned_test (pinned grow -> error,
release -> write succeeds).

Author: benoitc

CHANGELOG.md

@@ -4,6 +4,10 @@
 
 ### Security
 
+- **Zero-copy buffer pinning** - `py_buffer` no longer relocates (and frees) its
+  storage while a Python `memoryview` points into it. A write that would grow the
+  buffer while a view is held now returns an error instead of dangling the view into
+  freed memory (a use-after-free that crashed the whole node).
 - **Bounded recursion in type conversion** - The Erlang<->Python converters now cap
   nesting depth, so a deeply nested term (or Python structure) returns a clean error
   instead of overflowing the C stack and crashing the whole node.

c_src/py_buffer.c

@@ -152,6 +152,14 @@ int py_buffer_write(py_buffer_resource_t *buf, const unsigned char *data, size_t
     /* Check if we need to grow the buffer */
     size_t required = buf->write_pos + size;
     if (required > buf->capacity) {
+        /* A live Python memoryview (from PyBuffer_getbuffer) holds a raw pointer
+         * into buf->data. Relocating/freeing the buffer now would leave that
+         * pointer dangling -> use-after-free that crashes the whole node. Refuse
+         * to grow while any view is pinned; the caller gets a write error. */
+        if (buf->view_count > 0) {
+            pthread_mutex_unlock(&buf->mutex);
+            return -1;
+        }
         /* Calculate new capacity */
         size_t new_capacity = buf->capacity;
         while (new_capacity < required) {

test/py_buffer_SUITE.erl

@@ -22,6 +22,7 @@
     seek_tell_test/1,
     find_test/1,
     memoryview_test/1,
+    buffer_grow_pinned_test/1,
     iterator_test/1,
     closed_buffer_test/1,
     empty_buffer_test/1,
@@ -40,6 +41,7 @@ all() -> [
     seek_tell_test,
     find_test,
     memoryview_test,
+    buffer_grow_pinned_test,
     iterator_test,
     closed_buffer_test,
     empty_buffer_test,
@@ -306,6 +308,32 @@ def read_buffer(buf):
 
     ok.
 
+%% @doc A buffer write that must grow the storage is refused while a Python
+%% memoryview pins it (relocating the storage would dangle the view -> UAF).
+%% Regression for the zero-copy view_count guard in py_buffer_write.
+buffer_grow_pinned_test(_Config) ->
+    {ok, Buf} = py_buffer:new(8),           %% capacity 8 bytes
+    ok = py_buffer:write(Buf, <<"ab">>),    %% write_pos 2, within capacity
+    Ctx = py:context(1),
+
+    %% Python holds a memoryview pinning the buffer (kept in a persistent global).
+    {ok, <<"pinned">>} = py:eval(Ctx,
+        <<"globals().setdefault('_keep', []).append(memoryview(buf)) or 'pinned'">>,
+        #{<<"buf">> => Buf}),
+
+    %% Growing the buffer now would relocate buf->data and dangle the memoryview,
+    %% so the write is refused (no crash) while the view is pinned.
+    {error, _} = py_buffer:write(Buf, binary:copy(<<"x">>, 1000)),
+
+    %% Release the view; the same write now succeeds.
+    {ok, <<"released">>} = py:eval(Ctx, <<"_keep[0].release() or 'released'">>),
+    ok = py_buffer:write(Buf, binary:copy(<<"x">>, 1000)),
+
+    %% Context still alive and usable.
+    {ok, 2} = py:eval(Ctx, <<"1+1">>),
+    ok = py_buffer:close(Buf),
+    ok.
+
 %% @doc Test that buffer resources are properly garbage collected
 %% Verifies reference counting between Erlang and Python
 gc_refcount_test(_Config) ->