New submission from paul:
# 1055 for (i = 0; i < seqlen; i++) {
# (gdb) n
# 1056 PyObject* element = PySequence_Fast_GET_ITEM(seq, i);
# (gdb) n
# 1057 if (!PyObject_IsInstance(element, (PyObject *)&Element_Type))
{
# (gdb) print *element
# $19 = {_ob_next = 0x4060e6fc, _ob_prev = 0x4056cd8c, ob_refcnt = 1, ob_type =
0x406de3e4}
# (gdb) n
# 1066 if (element_add_subelement(self, element) < 0) {
# (gdb) print *element
# $20 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325,
ob_type = 0xdbdbdbdb}
#
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:267 object at
0x4056c4cc has negative ref count -606348326
#
# "element" is removed in __getattribute__ method.
----------
files: poc_elt_extend1.py
messages: 242305
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in Element.extend (1)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39240/poc_elt_extend1.py
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue24091>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
