homepage

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Use after free during json encoding a dict (2)
Type: crash Stage: needs patch
Components: Extension Modules Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Use after free during json encoding (PyType_IsSubtype)
View: 24094
Assigned To: Nosy List: Arfrever, christian.heimes, ezio.melotti, pitrou, pkt, rhettinger, serhiy.storchaka
Priority: normal Keywords:

Created on 2015年05月01日 14:02 by pkt, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_enc_dict2.py pkt, 2015年05月01日 14:02
Messages (1)
msg242309 - (view) Author: paul (pkt) Date: 2015年05月01日 14:02 
# Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfaf96ec, dct=<D at remote 0x405c8af4>, indent_level=0)
# at /home/p/Python-3.4.1/Modules/_json.c:1540
# 1540 items = PyMapping_Keys(dct);
# (gdb) print *items
# 1ドル = {_ob_next = 0x4059029c, _ob_prev = 0x405c8ab4, ob_refcnt = 1, ob_type = 0x830f1a0 <PyLong_Type>}
# (gdb) n
# 1541 if (items == NULL)
# (gdb) n
# 1543 if (!PyList_Check(items)) {
# (gdb) n
# 1547 if (PyList_Sort(items) < 0)
# (gdb) n
# 1549 nitems = PyList_GET_SIZE(items);
# (gdb) n
# 1550 for (i = 0; i < nitems; i++) {
# (gdb) n
# 1552 key = PyList_GET_ITEM(items, i);
# (gdb) n
# 1553 value = PyDict_GetItem(dct, key);
# (gdb) n
# 1554 item = PyTuple_Pack(2, key, value);
# (gdb) print *key
# 2ドル = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}
# (gdb) n
# 
# Program received signal SIGSEGV, Segmentation fault.
# 0x08104047 in PyTuple_Pack (n=2) at Objects/tupleobject.c:216
# 216 Py_INCREF(o);
# 
# We circumvent use after free bug in PyType_IsSubtype (poc_enc_dict1.py) by
# returning -1 from the __hash__() method. This way PyDict_GetItem bails 
# quickly, without triggering the problematic code.
# PyTuple_Pack handles a stale "key" pointer and crashes. Use after free.
History
Date User Action Args
2022年04月11日 14:58:16adminsetgithub: 68283
2015年05月03日 14:34:58benjamin.petersonsetstatus: open -> closed
superseder: Use after free during json encoding (PyType_IsSubtype)
resolution: duplicate
2015年05月03日 06:46:23Arfreversetnosy: + Arfrever
2015年05月02日 04:47:46serhiy.storchakasetnosy: + rhettinger, pitrou, ezio.melotti, serhiy.storchaka
2015年05月01日 14:12:43christian.heimessetnosy: + christian.heimes
stage: needs patch

components: + Extension Modules
versions: + Python 3.5
2015年05月01日 14:02:15pktcreate

AltStyle によって変換されたページ (->オリジナル) /