[issue29028] Use-After-Free in PyString_FromStringAndSize() of stringobject.c
Serhiy Storchaka
report at bugs.python.org
Thu Dec 29 15:07:21 EST 2016
Serhiy Storchaka added the comment:
There a problem with PySlice_GetIndicesEx() (see issue27867). Buffer length shouldn't be evaluated before PySlice_GetIndicesEx() since it can call user code that can change buffer length. This issue can't be solved without first solving issue27867.
get_buf() is called twice. First for getting the size, and later in buffer_item() or after PySlice_GetIndicesEx() for getting a pointer. I think it can be called once.
Ammar, please write a unittest for this issue. It should also cover bugs in the first two versions of the patch.
----------
dependencies: +various issues due to misuse of PySlice_GetIndicesEx
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29028>
_______________________________________
More information about the Python-bugs-list
mailing list