[New-bugs-announce] [issue10638] PyArg_ParseTuple: refcount in nested tuples

Armin Rigo report at bugs.python.org
Mon Dec 6 14:43:19 CET 2010

New submission from Armin Rigo <arigo at users.sourceforge.net>:

There is an issue in PyArg_ParseTuple() when using nested tuple arguments: it accepts a pure Python tuple-like argument, but it cannot work properly because PyArg_ParseTuple() is supposed to return borrowed references to the objects.  For example, here is an attack on functools.partial().__setstate__(), which is written using

    PyArg_ParseTuple(args, "(OOOO)", ...)

Running crasher.py crashes a debug build of Python, for me with Fatal Python error: _functoolsmodule.c:158 object at 0x9011748 has negative ref count -606348322.

The only way I can see to fix the crasher is to restrict the kind of argument that can be passed to mean a nested tuple.  To be paranoid, it should only allow real tuples; a bit more flexibly, lists probably work ok too.

components: Interpreter Core
files: crasher.py
messages: 123466
nosy: arigo
priority: normal
severity: normal
status: open
title: PyArg_ParseTuple: refcount in nested tuples
Added file: http://bugs.python.org/file19953/crasher.py

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list