[issue8420] set_lookkey is unsafe
Eugene Kapun
report at bugs.python.org
Fri Apr 16 17:43:35 CEST 2010
New submission from Eugene Kapun <abacabadabacaba at gmail.com>:
I've noticed that set_lookkey (in Objects/setobject.c) does some unsafe things:
Objects/setobject.c:
> if (entry->hash == hash) {
> startkey = entry->key;
> Py_INCREF(startkey);
> cmp = PyObject_RichCompareBool(startkey, key, Py_EQ);
> Py_DECREF(startkey);
At this point, object pointed to by startkey could be deallocated, and then new object may be allocated at the same address.
> if (cmp < 0)
> return NULL;
> if (table == so->table && entry->key == startkey) {
At this point, the table may be reallocated at the same address but with different (possibly smaller) size, so entry->key may be in deallocated memory. Also, entry->key may be equal to startkey but still point to an object other than one key was compared with.
> if (cmp > 0)
> return entry;
> }
> else {
> /* The compare did major nasty stuff to the
> * set: start over.
> */
> return set_lookkey(so, key, hash);
This can lead to infinite recursion.
> }
----------
components: Interpreter Core
messages: 103333
nosy: abacabadabacaba
severity: normal
status: open
title: set_lookkey is unsafe
versions: Python 3.1
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8420>
_______________________________________
More information about the Python-bugs-list
mailing list