New submission from STINNER Victor:
$ ./python -c 'import resource; resource.prlimit(-3, 11, "\udbff\udfff")'
Erreur de segmentation (core dumped)
The problem is a generic problem with PyArg_Parse functions and "(O)" format.
With this format, the caller does not hold a reference to the object nor the
tuple. If arbitrary Python code is executed before the object is used, the
object pointer becomes a dangling pointer.
resource.prlimit() uses:
if (!PyArg_ParseTuple(args, _Py_PARSE_PID "i|(OO):prlimit",
&pid, &resource, &curobj, &maxobj))
return NULL;
In this issue, it's worse: the string is casted to a sequence, and each string
character becomes a temporary substring of 1 character. The problem is that
PyArg_ParseTuple() nor resource_prlimit() hold the reference, and so the curobj
and maxobj are dangling pointer.
Options:
- raise an error if the second parameter is not a tuple: implement the check in
prlimit() or i PyArg_ParseTuple()?
- hold a reference to the sequence, to curobj and to maxobj instead of using
borrowed references
----------
messages: 207686
nosy: haypo, serhiy.storchaka
priority: normal
severity: normal
status: open
title: resource.prlimit(int, int, str) crashs
type: crash
versions: Python 3.4
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue20191>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
