[Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.
Benjamin Peterson
benjamin at python.org
Sat Apr 13 16:27:00 CEST 2013
2013/4/13 Eli Bendersky <eliben at gmail.com>:
> Test case?
I see one.
>
>
> On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson <python-checkins at python.org>
> wrote:
>>
>> http://hg.python.org/cpython/rev/d5e5017309b1
>> changeset: 83283:d5e5017309b1
>> branch: 2.7
>> user: Mark Dickinson <dickinsm at gmail.com>
>> date: Sat Apr 13 15:19:05 2013 +0100
>> summary:
>> Issue #16447: Fix potential segfault when setting __name__ on a class.
>>
>> files:
>> Lib/test/test_descr.py | 14 ++++++++++++++
>> Misc/NEWS | 3 +++
>> Objects/typeobject.c | 6 +++++-
>> 3 files changed, 22 insertions(+), 1 deletions(-)
>>
>>
>> diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
>> --- a/Lib/test/test_descr.py
>> +++ b/Lib/test/test_descr.py
>> @@ -4136,6 +4136,20 @@
>> C.__name__ = 'D.E'
>> self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
>>
>> + def test_evil_type_name(self):
>> + # A badly placed Py_DECREF in type_set_name led to arbitrary code
>> + # execution while the type structure was not in a sane state, and
>> a
>> + # possible segmentation fault as a result. See bug #16447.
>> + class Nasty(str):
>> + def __del__(self):
>> + C.__name__ = "other"
>> +
>> + class C(object):
>> + pass
>> +
>> + C.__name__ = Nasty("abc")
>> + C.__name__ = "normal"
>> +
>> def test_subclass_right_op(self):
>> # Testing correct dispatch of subclass overloading __r<op>__...
>>
>> diff --git a/Misc/NEWS b/Misc/NEWS
>> --- a/Misc/NEWS
>> +++ b/Misc/NEWS
>> @@ -17,6 +17,9 @@
>> Core and Builtins
>> -----------------
>>
>> +- Issue #16447: Fixed potential segmentation fault when setting __name__
>> on a
>> + class.
>> +
>> - Issue #17610: Don't rely on non-standard behavior of the C qsort()
>> function.
>>
>> Library
>> diff --git a/Objects/typeobject.c b/Objects/typeobject.c
>> --- a/Objects/typeobject.c
>> +++ b/Objects/typeobject.c
>> @@ -225,6 +225,7 @@
>> type_set_name(PyTypeObject *type, PyObject *value, void *context)
>> {
>> PyHeapTypeObject* et;
>> + PyObject *tmp;
>>
>> if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) {
>> PyErr_Format(PyExc_TypeError,
>> @@ -253,10 +254,13 @@
>>
>> Py_INCREF(value);
>>
>> - Py_DECREF(et->ht_name);
>> + /* Wait until et is a sane state before Py_DECREF'ing the old
>> et->ht_name
>> + value. (Bug #16447.) */
>> + tmp = et->ht_name;
>> et->ht_name = value;
>>
>> type->tp_name = PyString_AS_STRING(value);
>> + Py_DECREF(tmp);
>>
>> return 0;
>> }
>>
>> --
>> Repository URL: http://hg.python.org/cpython
>>
>> _______________________________________________
>> Python-checkins mailing list
>> Python-checkins at python.org
>> http://mail.python.org/mailman/listinfo/python-checkins
>>
>
>
> _______________________________________________
> Python-checkins mailing list
> Python-checkins at python.org
> http://mail.python.org/mailman/listinfo/python-checkins
>
--
Regards,
Benjamin
More information about the Python-Dev
mailing list