Issue #6083: Fix multiple segmentation faults occured when PyArg_ParseTuple

parses nested mutating sequence.
2025-08-04 00:48:58 +00:00 · 2013-02-04 12:54:04 +02:00 · 2013-02-04 12:54:04 +02:00 · 1d0bb9c8f9
commit 1d0bb9c8f9
parent cfe34744e3 19c4e0df29
7 changed files with 118 additions and 15 deletions
--- a/Modules/_ctypes/_ctypes.c
+++ b/Modules/_ctypes/_ctypes.c
@ -3188,23 +3188,37 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
 {
    char *name;
    int (* address)(void);
+    PyObject *ftuple;
    PyObject *dll;
    PyObject *obj;
    PyCFuncPtrObject *self;
    void *handle;
    PyObject *paramflags = NULL;

-    if (!PyArg_ParseTuple(args, "(O&O)|O", _get_name, &name, &dll, &paramflags))
+    if (!PyArg_ParseTuple(args, "O|O", &ftuple, &paramflags))
        return NULL;
    if (paramflags == Py_None)
        paramflags = NULL;

-    obj = PyObject_GetAttrString(dll, "_handle");
-    if (!obj)
+    ftuple = PySequence_Tuple(ftuple);
+    if (!ftuple)
+        /* Here ftuple is a borrowed reference */
        return NULL;
+
+    if (!PyArg_ParseTuple(ftuple, "O&O", _get_name, &name, &dll)) {
+        Py_DECREF(ftuple);
+        return NULL;
+    }
+
+    obj = PyObject_GetAttrString(dll, "_handle");
+    if (!obj) {
+        Py_DECREF(ftuple);
+        return NULL;
+    }
    if (!PyLong_Check(obj)) {
        PyErr_SetString(PyExc_TypeError,
                        "the _handle attribute of the second argument must be an integer");
+        Py_DECREF(ftuple);
        Py_DECREF(obj);
        return NULL;
    }
@ -3213,6 +3227,7 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
    if (PyErr_Occurred()) {
        PyErr_SetString(PyExc_ValueError,
                        "could not convert the _handle attribute to a pointer");
+        Py_DECREF(ftuple);
        return NULL;
    }

@ -3227,6 +3242,7 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
            PyErr_Format(PyExc_AttributeError,
                         "function ordinal %d not found",
                         (WORD)(size_t)name);
+        Py_DECREF(ftuple);
        return NULL;
    }
 #else
@ -3240,9 +3256,12 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
 #else
        PyErr_SetString(PyExc_AttributeError, ctypes_dlerror());
 #endif
+        Py_DECREF(ftuple);
        return NULL;
    }
 #endif
+    Py_INCREF(dll); /* for KeepRef */
+    Py_DECREF(ftuple);
    if (!_validate_paramflags(type, paramflags))
        return NULL;

@ -3255,7 +3274,6 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)

    *(void **)self->b_ptr = address;

-    Py_INCREF((PyObject *)dll); /* for KeepRef */
    if (-1 == KeepRef((CDataObject *)self, 0, dll)) {
        Py_DECREF((PyObject *)self);
        return NULL;
--- a/Modules/_functoolsmodule.c
+++ b/Modules/_functoolsmodule.c
@ -218,10 +218,10 @@ partial_reduce(partialobject *pto, PyObject *unused)
 }

 static PyObject *
-partial_setstate(partialobject *pto, PyObject *args)
+partial_setstate(partialobject *pto, PyObject *state)
 {
    PyObject *fn, *fnargs, *kw, *dict;
-    if (!PyArg_ParseTuple(args, "(OOOO):__setstate__",
+    if (!PyArg_ParseTuple(state, "OOOO",
                          &fn, &fnargs, &kw, &dict))
        return NULL;
    Py_XDECREF(pto->fn);
@ -245,7 +245,7 @@ partial_setstate(partialobject *pto, PyObject *args)

 static PyMethodDef partial_methods[] = {
    {"__reduce__", (PyCFunction)partial_reduce, METH_NOARGS},
-    {"__setstate__", (PyCFunction)partial_setstate, METH_VARARGS},
+    {"__setstate__", (PyCFunction)partial_setstate, METH_O},
    {NULL,              NULL}           /* sentinel */
 };

--- a/Modules/resource.c
+++ b/Modules/resource.c
@ -142,10 +142,9 @@ resource_setrlimit(PyObject *self, PyObject *args)
 {
    struct rlimit rl;
    int resource;
-    PyObject *curobj, *maxobj;
+    PyObject *limits, *curobj, *maxobj;

-    if (!PyArg_ParseTuple(args, "i(OO):setrlimit",
-                          &resource, &curobj, &maxobj))
+    if (!PyArg_ParseTuple(args, "iO:setrlimit", &resource, &limits))
        return NULL;

    if (resource < 0 || resource >= RLIM_NLIMITS) {
@ -154,21 +153,34 @@ resource_setrlimit(PyObject *self, PyObject *args)
        return NULL;
    }

+    limits = PySequence_Tuple(limits);
+    if (!limits)
+        /* Here limits is a borrowed reference */
+        return NULL;
+
+    if (PyTuple_GET_SIZE(limits) != 2) {
+        PyErr_SetString(PyExc_ValueError,
+                        "expected a tuple of 2 integers");
+        goto error;
+    }
+    curobj = PyTuple_GET_ITEM(limits, 0);
+    maxobj = PyTuple_GET_ITEM(limits, 1);
+
 #if !defined(HAVE_LARGEFILE_SUPPORT)
    rl.rlim_cur = PyLong_AsLong(curobj);
    if (rl.rlim_cur == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
    rl.rlim_max = PyLong_AsLong(maxobj);
    if (rl.rlim_max == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
 #else
    /* The limits are probably bigger than a long */
    rl.rlim_cur = PyLong_AsLongLong(curobj);
    if (rl.rlim_cur == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
    rl.rlim_max = PyLong_AsLongLong(maxobj);
    if (rl.rlim_max == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
 #endif

    rl.rlim_cur = rl.rlim_cur & RLIM_INFINITY;
@ -182,10 +194,15 @@ resource_setrlimit(PyObject *self, PyObject *args)
                            "not allowed to raise maximum limit");
        else
            PyErr_SetFromErrno(PyExc_OSError);
-        return NULL;
+        goto error;
    }
+    Py_DECREF(limits);
    Py_INCREF(Py_None);
    return Py_None;
+
+  error:
+    Py_DECREF(limits);
+    return NULL;
 }

 static PyObject *