Issue 1005778: Avoid seg fault if list object is modified during list.index (original) (raw)

The list.index implementation can be coerced into indexing past the end of ob_item. It calls PyObject_RichCompareBool (which may call into Python) in a loop, but the loop counter is only checked against a cached copy of the list size, so if the list shrinks during the comparison, the next counter value may be out of bounds. The patch includes a test case that causes unpatched Pythons to seg fault.

I checked the other uses of PyObject_RichCompareBool in listobject.c, and all of them look safe (but I mostly glossed over the mergesort uses, which I'm sure have been painstakingly verified and tested by its author).

(NB: The change to list_tests.py references the revision number of the post-patch listobject.c. When this is committed, please make sure that, that revision number is still current.)