On Sat, Apr 13, 2013 at 7:25 AM, Eli Bendersky <eli...@gmail.com> wrote:
> Test case? > > Ugh, sorry. I missed it. Ignore my previous email please. Eli > > On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson < > python-check...@python.org> wrote: > >> http://hg.python.org/cpython/rev/d5e5017309b1 >> changeset: 83283:d5e5017309b1 >> branch: 2.7 >> user: Mark Dickinson <dicki...@gmail.com> >> date: Sat Apr 13 15:19:05 2013 +0100 >> summary: >> Issue #16447: Fix potential segfault when setting __name__ on a class. >> >> files: >> Lib/test/test_descr.py | 14 ++++++++++++++ >> Misc/NEWS | 3 +++ >> Objects/typeobject.c | 6 +++++- >> 3 files changed, 22 insertions(+), 1 deletions(-) >> >> >> diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py >> --- a/Lib/test/test_descr.py >> +++ b/Lib/test/test_descr.py >> @@ -4136,6 +4136,20 @@ >> C.__name__ = 'D.E' >> self.assertEqual((C.__module__, C.__name__), (mod, 'D.E')) >> >> + def test_evil_type_name(self): >> + # A badly placed Py_DECREF in type_set_name led to arbitrary code >> + # execution while the type structure was not in a sane state, >> and a >> + # possible segmentation fault as a result. See bug #16447. >> + class Nasty(str): >> + def __del__(self): >> + C.__name__ = "other" >> + >> + class C(object): >> + pass >> + >> + C.__name__ = Nasty("abc") >> + C.__name__ = "normal" >> + >> def test_subclass_right_op(self): >> # Testing correct dispatch of subclass overloading __r<op>__... >> >> diff --git a/Misc/NEWS b/Misc/NEWS >> --- a/Misc/NEWS >> +++ b/Misc/NEWS >> @@ -17,6 +17,9 @@ >> Core and Builtins >> ----------------- >> >> +- Issue #16447: Fixed potential segmentation fault when setting __name__ >> on a >> + class. >> + >> - Issue #17610: Don't rely on non-standard behavior of the C qsort() >> function. >> >> Library >> diff --git a/Objects/typeobject.c b/Objects/typeobject.c >> --- a/Objects/typeobject.c >> +++ b/Objects/typeobject.c >> @@ -225,6 +225,7 @@ >> type_set_name(PyTypeObject *type, PyObject *value, void *context) >> { >> PyHeapTypeObject* et; >> + PyObject *tmp; >> >> if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) { >> PyErr_Format(PyExc_TypeError, >> @@ -253,10 +254,13 @@ >> >> Py_INCREF(value); >> >> - Py_DECREF(et->ht_name); >> + /* Wait until et is a sane state before Py_DECREF'ing the old >> et->ht_name >> + value. (Bug #16447.) */ >> + tmp = et->ht_name; >> et->ht_name = value; >> >> type->tp_name = PyString_AS_STRING(value); >> + Py_DECREF(tmp); >> >> return 0; >> } >> >> -- >> Repository URL: http://hg.python.org/cpython >> >> _______________________________________________ >> Python-checkins mailing list >> python-check...@python.org >> http://mail.python.org/mailman/listinfo/python-checkins >> >> >
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
