New submission from paul:
# Program received signal SIGABRT, Aborted.
# 0x40022424 in __kernel_vsyscall ()
# (gdb) bt
# #0 0x40022424 in __kernel_vsyscall ()
# #1 0x400bb1df in raise () from /lib/i386-linux-gnu/libc.so.6
# #2 0x400be825 in abort () from /lib/i386-linux-gnu/libc.so.6
# #3 0x08067030 in Py_FatalError (
# msg=0xbfed7a20 "/home/p/Python-3.4.1/Modules/_elementtree.c:1436 object
at 0x405743ec has negative ref count -606348326")
# at Python/pythonrun.c:2633
# #4 0x080f1374 in _Py_NegativeRefcount (fname=0x40646100
"/home/p/Python-3.4.1/Modules/_elementtree.c", lineno=1436,
# op=<unknown at remote 0x405743ec>) at Objects/object.c:203
# #5 0x4063dfa6 in element_remove (self=0x40583c34,
args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
# at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# (gdb) frame 5
# #5 0x4063dfa6 in element_remove (self=0x40583c34,
args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
# at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# 1436 Py_DECREF(self->extra->children[i]);
# (gdb) print i
# $1 = 1
# (gdb) print *(PyObject*)self->extra->children
# $3 = {_ob_next = 0x4057437c, _ob_prev = 0x405743ec, ob_refcnt = 1079461180,
ob_type = 0x4057461c}
#
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:1436 object
at 0x405743ec has negative ref count -606348326
#
# "self->extra->children" is cleared in custom __eq__ method. Py_DECREF handles
# stale pointer. Use after free.
#
----------
files: poc_elt_remove.py
messages: 242307
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in Element.remove
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39242/poc_elt_remove.py
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24093>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
