[issue29438] use after free in key sharing dict
Serhiy Storchaka
report at bugs.python.org
Tue Feb 7 15:00:51 EST 2017
Serhiy Storchaka added the comment:
PyDict_SetItem() can trigger destructor which first call _PyObjectDict_SetItem() which change CACHED_KEYS(tp) and then call PyDict_SetItem() which call dictresize(). At the end it may be possible that cached != ((PyDictObject *)dict)->ma_keys and cached != CACHED_KEYS(tp) and CACHED_KEYS(tp) != ((PyDictObject *)dict)->ma_keys.
Wouldn't be better to just update the cached variable after calling PyDict_SetItem()?
if (was_shared && (cached = CACHED_KEYS(tp)) != NULL && cached != ((PyDictObject *)dict)->ma_keys)
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29438>
_______________________________________
More information about the Python-bugs-list
mailing list