[Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting name on a class. (original) (raw)
Eli Bendersky eliben at gmail.com
Sat Apr 13 16:25:33 CEST 2013
- Previous message: [Python-Dev] Deciding against the CLA
- Next message: [Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Test case?
On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-checkins at python.org>wrote:
http://hg.python.org/cpython/rev/d5e5017309b1 changeset: 83283:d5e5017309b1 branch: 2.7 user: Mark Dickinson <dickinsm at gmail.com> date: Sat Apr 13 15:19:05 2013 +0100 summary: Issue #16447: Fix potential segfault when setting name on a class.
files: Lib/test/testdescr.py | 14 ++++++++++++++ Misc/NEWS | 3 +++ Objects/typeobject.c | 6 +++++- 3 files changed, 22 insertions(+), 1 deletions(-)
diff --git a/Lib/test/testdescr.py b/Lib/test/testdescr.py --- a/Lib/test/testdescr.py +++ b/Lib/test/testdescr.py @@ -4136,6 +4136,20 @@ C.name = 'D.E' self.assertEqual((C.module, C.name), (mod, 'D.E')) + def testeviltypename(self): + # A badly placed PyDECREF in typesetname led to arbitrary code + # execution while the type structure was not in a sane state, and a + # possible segmentation fault as a result. See bug #16447. + class Nasty(str): + def del(self): + C.name = "other" + + class C(object): + pass + + C.name = Nasty("abc") + C.name = "normal" + def testsubclassrightop(self): # Testing correct dispatch of subclass overloading r... diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -17,6 +17,9 @@ Core and Builtins ----------------- +- Issue #16447: Fixed potential segmentation fault when setting name on a + class. + - Issue #17610: Don't rely on non-standard behavior of the C qsort() function. Library diff --git a/Objects/typeobject.c b/Objects/typeobject.c --- a/Objects/typeobject.c +++ b/Objects/typeobject.c @@ -225,6 +225,7 @@ typesetname(PyTypeObject *type, PyObject *value, void *context) { PyHeapTypeObject* et; + PyObject *tmp; if (!(type->tpflags & PyTPFLAGSHEAPTYPE)) { PyErrFormat(PyExcTypeError, @@ -253,10 +254,13 @@ PyINCREF(value); - PyDECREF(et->htname); + /* Wait until et is a sane state before PyDECREF'ing the old et->htname + value. (Bug #16447.) */ + tmp = et->htname; et->htname = value; type->tpname = PyStringASSTRING(value); + PyDECREF(tmp); return 0; } -- Repository URL: http://hg.python.org/cpython
Python-checkins mailing list Python-checkins at python.org http://mail.python.org/mailman/listinfo/python-checkins -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130413/322c51a7/attachment.html>
- Previous message: [Python-Dev] Deciding against the CLA
- Next message: [Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]