[New-bugs-announce] [issue24091] Use after free in Element.extend (1)
paul
report at bugs.python.org
Fri May 1 15:56:07 CEST 2015
New submission from paul:
# 1055 for (i = 0; i < seqlen; i++) {
# (gdb) n
# 1056 PyObject* element = PySequence_Fast_GET_ITEM(seq, i);
# (gdb) n
# 1057 if (!PyObject_IsInstance(element, (PyObject *)&Element_Type)) {
# (gdb) print *element
# $19 = {_ob_next = 0x4060e6fc, _ob_prev = 0x4056cd8c, ob_refcnt = 1, ob_type = 0x406de3e4}
# (gdb) n
# 1066 if (element_add_subelement(self, element) < 0) {
# (gdb) print *element
# $20 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}
#
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:267 object at 0x4056c4cc has negative ref count -606348326
#
# "element" is removed in __getattribute__ method.
----------
files: poc_elt_extend1.py
messages: 242305
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in Element.extend (1)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39240/poc_elt_extend1.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24091>
_______________________________________
More information about the New-bugs-announce
mailing list