Issue 1456209: dictobject.c:dictresize() vulnerability - Python tracker (original) (raw)

Issue1456209

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/43071

classification

process

Created on 2006-03-22 15:47 by arigo, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (5)
msg27842 - (view)	Author: Armin Rigo (arigo) *	Date: 2006-03-22 15:47
We thought we squashed the last of the modify-the-dict-from-a-custom-eq kind of bugs long ago. Too bad.
msg27843 - (view)	Author: Armin Rigo (arigo) *	Date: 2006-03-22 16:32
Logged In: YES user_id=4771 The cause of the bug is that if oldtable == mp->ma_smalltable then pure Python code can mangle with mp->ma_smalltable while it is being walked on. A simple fix would be to always make a copy of the oldtable if it is mp->ma_smalltable (not only if oldtable == newtable). Attached a more efficient fix, which should also make dict resizing somehow faster. It requires yet another version of the lookup algorithm, though. It's a very simple version that assumes that all items are different and the dict contains no dummy entries.
msg27844 - (view)	Author: Armin Rigo (arigo) *	Date: 2006-06-01 13:20
Logged In: YES user_id=4771 Fixed by patch #1497053.
msg27845 - (view)	Author: Tim Peters (tim.peters) *	Date: 2006-06-01 15:54
Logged In: YES user_id=31435 Patch 1497053 was checked in as revision 46589 of the trunk for Python 2.5, so closing this. I doubt it's worth the effort to backport to 2.4.
msg27846 - (view)	Author: Tim Peters (tim.peters) *	Date: 2006-10-09 20:29
Logged In: YES user_id=31435 I backported the parts of rev 46589 relevant to this bug to the 2.4 maint branch, as rev 52256, for Python 2.4.4.