mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-31 07:04:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Fix two crashers.

Browse source
This commit is contained in:
Guido van Rossum 2008-01-23 20:19:01 +00:00
parent b2302ba977
commit 1d9a9eaa89
4 changed files with 11 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

14
Lib/test/crashers/borrowed_ref_3.py
View file

@ -1,14 +0,0 @@
"""
PyDict_GetItem() returns a borrowed reference.
There are probably a number of places that are open to attacks
such as the following one, in bltinmodule.c:min_max().
"""
class KeyFunc(object):
def __call__(self, n):
del d['key']
return 1
d = {'key': KeyFunc()}
min(range(10), **d)

28
Lib/test/crashers/borrowed_ref_4.py
View file

@ -1,28 +0,0 @@
"""
PyDict_GetItem() returns a borrowed reference.
This attack is against ceval.c:IMPORT_NAME, which calls an
object (__builtin__.__import__) without holding a reference to it.
"""
import types
import __builtin__
class X(object):
def __getattr__(self, name):
# this is called with name == '__bases__' by PyObject_IsInstance()
# during the unbound method call -- it frees the unbound method
# itself before it invokes its im_func.
del __builtin__.__import__
return ()
pseudoclass = X()
class Y(object):
def __call__(self, *args):
# 'self' was freed already
print self, args
# make an unbound method
__builtin__.__import__ = types.MethodType(Y(), None, (pseudoclass, str))
import spam

7
Python/bltinmodule.c
View file

@ -1245,11 +1245,14 @@ min_max(PyObject *args, PyObject *kwds, int op)
"%s() got an unexpected keyword argument", name); "%s() got an unexpected keyword argument", name);
return NULL; return NULL;
} }
Py_INCREF(keyfunc);
} }
it = PyObject_GetIter(v); it = PyObject_GetIter(v);
if (it == NULL) if (it == NULL) {
Py_XDECREF(keyfunc);
return NULL; return NULL;
}
maxitem = NULL; /* the result */ maxitem = NULL; /* the result */
maxval = NULL; /* the value associated with the result */ maxval = NULL; /* the value associated with the result */
@ -1298,6 +1301,7 @@ min_max(PyObject *args, PyObject *kwds, int op)
else else
Py_DECREF(maxval); Py_DECREF(maxval);
Py_DECREF(it); Py_DECREF(it);
Py_XDECREF(keyfunc);
return maxitem; return maxitem;
Fail_it_item_and_val: Fail_it_item_and_val:
@ -1308,6 +1312,7 @@ Fail_it:
Py_XDECREF(maxval); Py_XDECREF(maxval);
Py_XDECREF(maxitem); Py_XDECREF(maxitem);
Py_DECREF(it); Py_DECREF(it);
Py_XDECREF(keyfunc);
return NULL; return NULL;
} }

6
Python/ceval.c
View file

@ -2066,6 +2066,7 @@ PyEval_EvalFrameEx(PyFrameObject *f, int throwflag)
"__import__ not found"); "__import__ not found");
break; break;
} }
Py_INCREF(x);
v = POP(); v = POP();
u = TOP(); u = TOP();
if (PyInt_AsLong(u) != -1 || PyErr_Occurred()) if (PyInt_AsLong(u) != -1 || PyErr_Occurred())
@ -2087,11 +2088,14 @@ PyEval_EvalFrameEx(PyFrameObject *f, int throwflag)
Py_DECREF(u); Py_DECREF(u);
if (w == NULL) { if (w == NULL) {
u = POP(); u = POP();
Py_DECREF(x);
x = NULL; x = NULL;
break; break;
} }
READ_TIMESTAMP(intr0); READ_TIMESTAMP(intr0);
x = PyEval_CallObject(x, w); v = x;
x = PyEval_CallObject(v, w);
Py_DECREF(v);
READ_TIMESTAMP(intr1); READ_TIMESTAMP(intr1);
Py_DECREF(w); Py_DECREF(w);
SET_TOP(x); SET_TOP(x);