Issue 1567234: unchecked metaclass mro (original) (raw)

Created on 2006-09-28 18:48 by gangesmaster, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (4)
msg30048 - (view)	Author: ganges master (gangesmaster)	Date: 2006-09-28 18:48
this bug was fixed in python2.5, but it's worth adding to 2.4.4. metaclasses can return an "insane" mro, which confuses the PyXXX_Check checks, and causes memory corruption. Python 2.4.3 (#69, Mar 29 2006, 17:35:34) [MSC v.1310 32 bit (Intel)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> class crasher(object): ... class __metaclass__(type): ... def mro(self): ... return (str, int, list) ... >>> c = crasher("hello") >>> c # a very strange object '' >>> dir(c) [] >>> c.append(5) # <access violation - program crashes>
msg30049 - (view)	Author: A.M. Kuchling (akuchling) *	Date: 2006-09-29 12:32
Logged In: YES user_id=11375 Can you please provide a reference to the original bug, or to the revision that fixes the bug in 2.5? +
msg30050 - (view)	Author: ganges master (gangesmaster)	Date: 2006-09-29 13:12
Logged In: YES user_id=1406776 i never managed working with svn's or cvs's... i can point you to the official source distribution of 2.4.2: file: typeobject.c function: static int mro_internal(PyTypeObject *type) +-+-+-+-+-+-+-+- mro = lookup_method((PyObject *)type, "mro", &mro_str); if (mro == NULL) return -1; result = PyObject_CallObject(mro, NULL); Py_DECREF(mro); } if (result == NULL) return -1; tuple = PySequence_Tuple(result); +-+-+-+-+-+-+-+-+- python 2.5 (release) added the following check: +-+-+-+-+-+-+-+-+- if (!PyType_IsSubtype(solid, solid_base(t))) { PyErr_Format(PyExc_TypeError, "mro() returned base with unsuitable layout ('%.500s')", t->tp_name); +-+-+-+-+-+-+-+-+- that's the best i can do, sorry
msg30051 - (view)	Author: A.M. Kuchling (akuchling) *	Date: 2006-11-07 14:06
Logged In: YES user_id=11375 This bugfix didn't make it into Python 2.4.4, and Anthony Baxter suggests there probably won't be a 2.4.5 release, so I'm closing this bug. Sorry it didn't work out.