Test case?
On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-check...@python.org>wrote: > http://hg.python.org/cpython/rev/d5e5017309b1 > changeset: 83283:d5e5017309b1 > branch: 2.7 > user: Mark Dickinson <dicki...@gmail.com> > date: Sat Apr 13 15:19:05 2013 +0100 > summary: > Issue #16447: Fix potential segfault when setting __name__ on a class. > > files: > Lib/test/test_descr.py | 14 ++++++++++++++ > Misc/NEWS | 3 +++ > Objects/typeobject.c | 6 +++++- > 3 files changed, 22 insertions(+), 1 deletions(-) > > > diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py > --- a/Lib/test/test_descr.py > +++ b/Lib/test/test_descr.py > @@ -4136,6 +4136,20 @@ > C.__name__ = 'D.E' > self.assertEqual((C.__module__, C.__name__), (mod, 'D.E')) > > + def test_evil_type_name(self): > + # A badly placed Py_DECREF in type_set_name led to arbitrary code > + # execution while the type structure was not in a sane state, and > a > + # possible segmentation fault as a result. See bug #16447. > + class Nasty(str): > + def __del__(self): > + C.__name__ = "other" > + > + class C(object): > + pass > + > + C.__name__ = Nasty("abc") > + C.__name__ = "normal" > + > def test_subclass_right_op(self): > # Testing correct dispatch of subclass overloading __r<op>__... > > diff --git a/Misc/NEWS b/Misc/NEWS > --- a/Misc/NEWS > +++ b/Misc/NEWS > @@ -17,6 +17,9 @@ > Core and Builtins > ----------------- > > +- Issue #16447: Fixed potential segmentation fault when setting __name__ > on a > + class. > + > - Issue #17610: Don't rely on non-standard behavior of the C qsort() > function. > > Library > diff --git a/Objects/typeobject.c b/Objects/typeobject.c > --- a/Objects/typeobject.c > +++ b/Objects/typeobject.c > @@ -225,6 +225,7 @@ > type_set_name(PyTypeObject *type, PyObject *value, void *context) > { > PyHeapTypeObject* et; > + PyObject *tmp; > > if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { > PyErr_Format(PyExc_TypeError, > @@ -253,10 +254,13 @@ > > Py_INCREF(value); > > - Py_DECREF(et->ht_name); > + /* Wait until et is a sane state before Py_DECREF'ing the old > et->ht_name > + value. (Bug #16447.) */ > + tmp = et->ht_name; > et->ht_name = value; > > type->tp_name = PyString_AS_STRING(value); > + Py_DECREF(tmp); > > return 0; > } > > -- > Repository URL: http://hg.python.org/cpython > > _______________________________________________ > Python-checkins mailing list > python-check...@python.org > http://mail.python.org/mailman/listinfo/python-checkins > >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
