[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Serhiy Storchaka added the comment: I wanted first to finish issue27867 (expose new API as public). But this is not needed for this issue. -- dependencies: -various issues due to misuse of PySlice_GetIndicesEx resolution: -> fixed stage: patch review -> resolved status: open ->

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Ammar Askar added the comment: Did you forget to close this or is this not fixed, Serhiy? -- ___ Python tracker ___

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Roundup Robot added the comment: New changeset 97c8ec91eb10a04c797e4dac99971e4152abcbec by Serhiy Storchaka in branch '2.7': Issue #29028: Fixed possible use-after-free bugs in the subscription of the https://github.com/python/cpython/commit/97c8ec91eb10a04c797e4dac99971e4152abcbec

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Roundup Robot added the comment: New changeset 8cfa6d3065b3 by Serhiy Storchaka in branch '2.7': Issue #29028: Fixed possible use-after-free bugs in the subscription of the https://hg.python.org/cpython/rev/8cfa6d3065b3 -- nosy: +python-dev ___

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Serhiy Storchaka added the comment: Proposed patch fixes the issue. But it is hard to write a reliable patch. -- Added file: http://bugs.python.org/file46417/buffer-use-after-free-3.patch ___ Python tracker

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Changes by STINNER Victor : -- nosy: +haypo ___ Python tracker ___ ___

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Changes by Serhiy Storchaka : -- assignee: -> serhiy.storchaka ___ Python tracker ___

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Serhiy Storchaka added the comment: There a problem with PySlice_GetIndicesEx() (see issue27867). Buffer length shouldn't be evaluated before PySlice_GetIndicesEx() since it can call user code that can change buffer length. This issue can't be solved without first solving issue27867.

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Changes by Serhiy Storchaka : -- nosy: +serhiy.storchaka ___ Python tracker ___

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Ammar Askar added the comment: Updated patch based on Rietveld review -- Added file: http://bugs.python.org/file46083/buffer-use-after-free-fix.patch2 ___ Python tracker

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

INADA Naoki added the comment: LGTM -- nosy: +inada.naoki ___ Python tracker ___ ___ Python-bugs-list mailing

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Changes by Ammar Askar : -- nosy: +benjamin.peterson ___ Python tracker ___ ___

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

Ammar Askar added the comment: The proposed patch fixes this, not sure if a regression test is appropriate here. Here's a more minimal example that demonstrates the exact problem: ``` class Index(): def __index__(self): global a a.append("2") return 999 a =

[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c

New submission from dyjakan: Recently I started doing some research related to language interpreters and I've stumbled upon a bug in current Python 2.7. I already contacted PSRT and we concluded that this doesn't have security implications. Repro file looks like this: ``` class Index(object):