[ python-Bugs-1456209 ] dictobject.c:dictresize() vulnerability
SourceForge.net
noreply at sourceforge.net
Thu Jun 1 17:54:47 CEST 2006
Bugs item #1456209, was opened at 2006-03-22 10:47
Message generated for change (Comment added) made by tim_one
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1456209&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Interpreter Core
Group: None
Status: Closed
Resolution: Fixed
Priority: 5
Submitted By: Armin Rigo (arigo)
Assigned to: Nobody/Anonymous (nobody)
Summary: dictobject.c:dictresize() vulnerability
Initial Comment:
We thought we squashed the last of the
modify-the-dict-from-a-custom-eq kind of bugs long ago.
Too bad.
----------------------------------------------------------------------
>Comment By: Tim Peters (tim_one)
Date: 2006-06-01 11:54
Message:
Logged In: YES
user_id=31435
Patch 1497053 was checked in as revision 46589 of the trunk
for Python 2.5, so closing this. I doubt it's worth the
effort to backport to 2.4.
----------------------------------------------------------------------
Comment By: Armin Rigo (arigo)
Date: 2006-06-01 09:20
Message:
Logged In: YES
user_id=4771
Fixed by patch #1497053.
----------------------------------------------------------------------
Comment By: Armin Rigo (arigo)
Date: 2006-03-22 11:32
Message:
Logged In: YES
user_id=4771
The cause of the bug is that if oldtable == mp->ma_smalltable
then pure Python code can mangle with mp->ma_smalltable while
it is being walked on. A simple fix would be to always make
a copy of the oldtable if it is mp->ma_smalltable (not only
if oldtable == newtable).
Attached a more efficient fix, which should also make dict
resizing somehow faster. It requires yet another version
of the lookup algorithm, though. It's a very simple version
that assumes that all items are different and the dict
contains no dummy entries.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1456209&group_id=5470
More information about the Python-bugs-list
mailing list