https://hg.python.org/cpython/rev/8a14af800f96 changeset: 99673:8a14af800f96 parent: 99670:c4e8751ce637 parent: 99672:ed62cf0cf256 user: Serhiy Storchaka <storchaka@gmail.com> date: Thu Dec 24 11:53:16 2015 +0200 summary: Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser. files: Misc/NEWS | 2 + Modules/_elementtree.c | 32 ++++++++++++----------------- 2 files changed, 15 insertions(+), 19 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -118,6 +118,8 @@ Library ------- +- Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser. + - Issue #25860: os.fwalk() no longer skips remaining directories when error occurs. Original patch by Samson Lee. diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c --- a/Modules/_elementtree.c +++ b/Modules/_elementtree.c @@ -3581,7 +3581,7 @@ /*[clinic end generated code: output=1440092922b13ed1 input=abf90830a1c3b0fc]*/ { /* activate element event reporting */ - Py_ssize_t i, seqlen; + Py_ssize_t i; TreeBuilderObject *target; PyObject *events_append, *events_seq; @@ -3599,8 +3599,7 @@ events_append = PyObject_GetAttrString(events_queue, "append"); if (events_append == NULL) return NULL; - Py_XDECREF(target->events_append); - target->events_append = events_append; + Py_SETREF(target->events_append, events_append); /* clear out existing events */ Py_CLEAR(target->start_event_obj); @@ -3619,46 +3618,41 @@ return NULL; } - seqlen = PySequence_Size(events_seq); - for (i = 0; i < seqlen; ++i) { + for (i = 0; i < PySequence_Size(events_seq); ++i) { PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i); char *event_name = NULL; if (PyUnicode_Check(event_name_obj)) { - event_name = _PyUnicode_AsString(event_name_obj); + event_name = PyUnicode_AsUTF8(event_name_obj); } else if (PyBytes_Check(event_name_obj)) { event_name = PyBytes_AS_STRING(event_name_obj); } - if (event_name == NULL) { Py_DECREF(events_seq); PyErr_Format(PyExc_ValueError, "invalid events sequence"); return NULL; - } else if (strcmp(event_name, "start") == 0) { - Py_INCREF(event_name_obj); - target->start_event_obj = event_name_obj; + } + + Py_INCREF(event_name_obj); + if (strcmp(event_name, "start") == 0) { + Py_SETREF(target->start_event_obj, event_name_obj); } else if (strcmp(event_name, "end") == 0) { - Py_INCREF(event_name_obj); - Py_XDECREF(target->end_event_obj); - target->end_event_obj = event_name_obj; + Py_SETREF(target->end_event_obj, event_name_obj); } else if (strcmp(event_name, "start-ns") == 0) { - Py_INCREF(event_name_obj); - Py_XDECREF(target->start_ns_event_obj); - target->start_ns_event_obj = event_name_obj; + Py_SETREF(target->start_ns_event_obj, event_name_obj); EXPAT(SetNamespaceDeclHandler)( self->parser, (XML_StartNamespaceDeclHandler) expat_start_ns_handler, (XML_EndNamespaceDeclHandler) expat_end_ns_handler ); } else if (strcmp(event_name, "end-ns") == 0) { - Py_INCREF(event_name_obj); - Py_XDECREF(target->end_ns_event_obj); - target->end_ns_event_obj = event_name_obj; + Py_SETREF(target->end_ns_event_obj, event_name_obj); EXPAT(SetNamespaceDeclHandler)( self->parser, (XML_StartNamespaceDeclHandler) expat_start_ns_handler, (XML_EndNamespaceDeclHandler) expat_end_ns_handler ); } else { + Py_DECREF(event_name_obj); Py_DECREF(events_seq); PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name); return NULL; -- Repository URL: https://hg.python.org/cpython