Message170642
| Author |
sbt |
| Recipients |
amaury.forgeotdarc, jcea, pitrou, sbt, skrah |
| Date |
2012年09月18日.12:49:29 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1347972570.3.0.567630914084.issue15903@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
The current non-test uses of PyMemoryView_FromBuffer() are in _io.BufferedReader.read(), _io.BufferedWriter.write(), PyUnicode_Decode().
It looks like they can each be made to leak a memoryview that references a deallocated buffer. (Maybe the answer is Don't Do That.)
import codecs, sys
def decode(buf):
global view
view = buf
return codecs.latin_1_decode(buf)
def getregentry():
return codecs.CodecInfo(name='foobar', decode=decode,
encode=codecs.latin_1_encode)
@codecs.register
def search_function(encoding):
if encoding == 'foobar':
return codecs.CodecInfo(*getregentry())
b = b'hello'.upper()
b.decode('foobar')
print(view.tobytes()) # => b'HELLO'
del b
x = b'dump'.upper()
print(view.tobytes()) # => b'DUMP\x00'
import io, sys
class File(io.RawIOBase):
def readinto(self, buf):
global view
view = buf
n = len(buf)
buf[:] = b'x'*n
return n
def readable(self):
return True
f = io.BufferedReader(File())
f.read(1)
print(view[:5].tobytes()) # => b'xxxxx'
del f
print(view[:5].tobytes()) # => b'\xdd\xdd\xdd\xdd\xdd' |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2012年09月18日 12:49:30 | sbt | set | recipients:
+ sbt, jcea, amaury.forgeotdarc, pitrou, skrah |
| 2012年09月18日 12:49:30 | sbt | set | messageid: <1347972570.3.0.567630914084.issue15903@psf.upfronthosting.co.za> |
| 2012年09月18日 12:49:29 | sbt | link | issue15903 messages |
| 2012年09月18日 12:49:29 | sbt | create |
|