New submission from LCatro :
Code :
The varanit bval forget call Py_INCREF to add reference in dict_equal()
b->ma_keys->dk_lookup(b, key, ep->me_hash, &bval); <--- ...
if (bval == NULL) {
Py_DECREF(key);
Py_DECREF(aval);
if
New submission from LCatro :
Code 1 :
static PyObject *
list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start,
Py_ssize_t stop)
// ...
for (i = start; i < stop && i < Py_SIZE(self); i++) {
int cmp = PyObject_RichCompareBool(self->
LCatro added the comment:
Sure ,but how can i pull my fix code ?
--
___
Python tracker
<https://bugs.python.org/issue38588>
___
___
Python-bugs-list mailin
New submission from LCatro:
PyFunction_New() not validate code object ,so we can make a string object to
fake code object
This is Python ByteCode :
LOAD_CONST '\x41\x41\x41\x41'
MAKE_FUNCTION 0
in source code ,we can see that string object trace
LCatro added the comment:
actually ,LOAD_CONST is taking an correct offset .I make a Python opcode
compiler ,LOAD_CONST '\x41\x41\x41\x41' will
conver to LOAD_CONST 1 .look back the poc ,it mean :
LOAD_CONST 1 => Load a string object from
New submission from LCatro :
PoC (PHP Version):
header('Set-Cookie: test=123; max-age=a'); // PoC 1
header('Set-Cookie: test=123; domain=;'); // PoC 2
header('Set-Cookie: test=123; version=a;'); // PoC 3
PoC 1 will trigger int() convert string to number f
