[Python-checkins] r60224 - in python/trunk: Lib/test/crashers/borrowed_ref_3.py Lib/test/crashers/borrowed_ref_4.py Python/bltinmodule.c Python/ceval.c
guido.van.rossum
python-checkins at python.org
Wed Jan 23 21:19:02 CET 2008
Author: guido.van.rossum
Date: Wed Jan 23 21:19:01 2008
New Revision: 60224
Removed:
python/trunk/Lib/test/crashers/borrowed_ref_3.py
python/trunk/Lib/test/crashers/borrowed_ref_4.py
Modified:
python/trunk/Python/bltinmodule.c
python/trunk/Python/ceval.c
Log:
Fix two crashers.
Deleted: /python/trunk/Lib/test/crashers/borrowed_ref_3.py
==============================================================================
--- /python/trunk/Lib/test/crashers/borrowed_ref_3.py Wed Jan 23 21:19:01 2008
+++ (empty file)
@@ -1,14 +0,0 @@
-"""
-PyDict_GetItem() returns a borrowed reference.
-There are probably a number of places that are open to attacks
-such as the following one, in bltinmodule.c:min_max().
-"""
-
-class KeyFunc(object):
- def __call__(self, n):
- del d['key']
- return 1
-
-
-d = {'key': KeyFunc()}
-min(range(10), **d)
Deleted: /python/trunk/Lib/test/crashers/borrowed_ref_4.py
==============================================================================
--- /python/trunk/Lib/test/crashers/borrowed_ref_4.py Wed Jan 23 21:19:01 2008
+++ (empty file)
@@ -1,28 +0,0 @@
-"""
-PyDict_GetItem() returns a borrowed reference.
-This attack is against ceval.c:IMPORT_NAME, which calls an
-object (__builtin__.__import__) without holding a reference to it.
-"""
-
-import types
-import __builtin__
-
-
-class X(object):
- def __getattr__(self, name):
- # this is called with name == '__bases__' by PyObject_IsInstance()
- # during the unbound method call -- it frees the unbound method
- # itself before it invokes its im_func.
- del __builtin__.__import__
- return ()
-
-pseudoclass = X()
-
-class Y(object):
- def __call__(self, *args):
- # 'self' was freed already
- print self, args
-
-# make an unbound method
-__builtin__.__import__ = types.MethodType(Y(), None, (pseudoclass, str))
-import spam
Modified: python/trunk/Python/bltinmodule.c
==============================================================================
--- python/trunk/Python/bltinmodule.c (original)
+++ python/trunk/Python/bltinmodule.c Wed Jan 23 21:19:01 2008
@@ -1245,11 +1245,14 @@
"%s() got an unexpected keyword argument", name);
return NULL;
}
+ Py_INCREF(keyfunc);
}
it = PyObject_GetIter(v);
- if (it == NULL)
+ if (it == NULL) {
+ Py_XDECREF(keyfunc);
return NULL;
+ }
maxitem = NULL; /* the result */
maxval = NULL; /* the value associated with the result */
@@ -1298,6 +1301,7 @@
else
Py_DECREF(maxval);
Py_DECREF(it);
+ Py_XDECREF(keyfunc);
return maxitem;
Fail_it_item_and_val:
@@ -1308,6 +1312,7 @@
Py_XDECREF(maxval);
Py_XDECREF(maxitem);
Py_DECREF(it);
+ Py_XDECREF(keyfunc);
return NULL;
}
Modified: python/trunk/Python/ceval.c
==============================================================================
--- python/trunk/Python/ceval.c (original)
+++ python/trunk/Python/ceval.c Wed Jan 23 21:19:01 2008
@@ -2066,6 +2066,7 @@
"__import__ not found");
break;
}
+ Py_INCREF(x);
v = POP();
u = TOP();
if (PyInt_AsLong(u) != -1 || PyErr_Occurred())
@@ -2087,11 +2088,14 @@
Py_DECREF(u);
if (w == NULL) {
u = POP();
+ Py_DECREF(x);
x = NULL;
break;
}
READ_TIMESTAMP(intr0);
- x = PyEval_CallObject(x, w);
+ v = x;
+ x = PyEval_CallObject(v, w);
+ Py_DECREF(v);
READ_TIMESTAMP(intr1);
Py_DECREF(w);
SET_TOP(x);
More information about the Python-checkins
mailing list