[New-bugs-announce] [issue4877] xml.parsers.expat ParseFile() causes segmentation fault when passed a closed file object

Steve Howard report at bugs.python.org
Thu Jan 8 06:01:16 CET 2009 

New submission from Steve Howard <dev at gostevehoward.com>:

In Python 2.5.4 built from unmodified source:

showard at showardlt:~/src/Python-2.5.4$ ./python
Python 2.5.4 (r254:67916, Jan  7 2009, 20:28:41) 
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xml.parsers import expat
>>> f=open('/tmp/foo')
>>> p=expat.ParserCreate()
>>> f.close()
>>> p.ParseFile(f)
Segmentation fault

The error is in the control flow in xmlparse_ParseFile()
(Modules/pyexpat.c:1000).  When passed a real file object that's been
closed, PyFile_Check() returns true, but then PyFile_AsFile() returns 0
(since f_fp on the file object is set to zero when the file is closed).
 So the local 'fp' is set to 0, and 'readmethod' is left as NULL.  The
conditional at 1033 then fails, and the call to readinst() at 1041
passes readmethod=NULL, leading eventually to a segfault in
PyObject_Call at Objects/abstract.c:1860.

I think it's present in 2.6 as well, but I'm not sure.  It seems to have
been fixed by chance in 3.0 because Guido removed the first branch in
xmlparse_ParseFile altogether in an unrelated change a while ago.

The attached patch simply checks for fp == 0 and raises an exception.  I
don't know if it's the proper solution but you get the idea.

Built with the attached patch:

showard at showardlt:~/src/Python-2.5.4$ ./python
Python 2.5.4 (r254:67916, Jan  7 2009, 20:28:41) 
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xml.parsers import expat
>>> f=open('/tmp/foo')
>>> p=expat.ParserCreate()
>>> f.close()   
>>> p.ParseFile(f)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: attempting to parse closed file

----------
components: XML
files: pyexpat_segfault_on_closed_file.patch
keywords: patch
messages: 79398
nosy: showard
severity: normal
status: open
title: xml.parsers.expat ParseFile() causes segmentation fault when passed a closed file object
type: crash
versions: Python 2.5
Added file: http://bugs.python.org/file12646/pyexpat_segfault_on_closed_file.patch

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4877>
_______________________________________

More information about the New-bugs-announce mailing list