This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2015年05月01日 14:11 by pkt, last changed 2022年04月11日 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| poc_siftdown1.py | pkt, 2015年05月01日 14:11 | |||
| Messages (3) | |||
|---|---|---|---|
| msg242316 - (view) | Author: paul (pkt) | Date: 2015年05月01日 14:11 | |
# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
# ...
# newitem = PyList_GET_ITEM(heap, pos);
# Py_INCREF(newitem);
# /* Follow the path to the root, moving parents down until finding
# a place newitem fits. */
# while (pos > startpos){
# parentpos = (pos - 1) >> 1;
# 1 parent = PyList_GET_ITEM(heap, parentpos);
# 2 cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
# if (cmp == -1) {
# Py_DECREF(newitem);
# return -1;
# }
# 3 if (size != PyList_GET_SIZE(heap)) {
# Py_DECREF(newitem);
# PyErr_SetString(PyExc_RuntimeError,
# "list changed size during iteration");
# return -1;
# }
# if (cmp == 0)
# break;
# 4 Py_INCREF(parent);
# ...
#
# 1. parent isn't protected (refcnt==1)
# 2. custom compare function deletes all objects in "heap" and repopulates it with
# fresh instances. "parent" is freed
# 3. check is ineffective. Heap was mutated while preserving its size
# 4. use after free. Crash will manifest itself later.
|
|||
| msg242408 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2015年05月02日 17:07 | |
New changeset 813854f49f9d by Raymond Hettinger in branch '3.4': Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq. https://hg.python.org/cpython/rev/813854f49f9d |
|||
| msg242416 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2015年05月02日 17:27 | |
New changeset d356e68de236 by Raymond Hettinger in branch '2.7': Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq. https://hg.python.org/cpython/rev/d356e68de236 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:58:16 | admin | set | github: 68287 |
| 2015年05月04日 11:21:46 | rhettinger | set | status: open -> closed resolution: fixed |
| 2015年05月03日 06:50:22 | Arfrever | set | nosy:
+ Arfrever |
| 2015年05月02日 17:27:07 | python-dev | set | messages: + msg242416 |
| 2015年05月02日 17:07:44 | python-dev | set | nosy:
+ python-dev messages: + msg242408 |
| 2015年05月02日 04:50:28 | serhiy.storchaka | set | nosy:
+ serhiy.storchaka |
| 2015年05月01日 17:02:18 | rhettinger | set | assignee: rhettinger nosy: + rhettinger |
| 2015年05月01日 14:13:30 | christian.heimes | set | nosy:
+ christian.heimes |
| 2015年05月01日 14:13:14 | christian.heimes | set | stage: needs patch components: + Extension Modules versions: + Python 3.5 |
| 2015年05月01日 14:11:20 | pkt | create | |