[New-bugs-announce] [issue24096] Use after free during json encoding a dict (3)
paul
report at bugs.python.org
Fri May 1 16:03:23 CEST 2015
New submission from paul:
# Program received signal SIGSEGV, Segmentation fault.
# 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=<D at remote 0x405b2fb4>, indent_level=0)
# at /home/p/Python-3.4.1/Modules/_json.c:1557
# 1557 PyList_SET_ITEM(items, i, item);
# (gdb) print *(PyListObject*)items
# $1 = {ob_base = {ob_base = {_ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>},
# ob_size = 0}, ob_item = 0x0, allocated = 0}
# (gdb) print i
# $2 = 112233
#
# "items" was cleared in __hash__, so we get a wild write at a controlled address.
----------
files: poc_enc_dict3.py
messages: 242311
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free during json encoding a dict (3)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39246/poc_enc_dict3.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24096>
_______________________________________
More information about the New-bugs-announce
mailing list