[New-bugs-announce] [issue24093] Use after free in Element.remove

[paul]

New submission from paul:

# Program received signal SIGABRT, Aborted.
# 0x40022424 in __kernel_vsyscall ()
# (gdb) bt
# #0  0x40022424 in __kernel_vsyscall ()
# #1  0x400bb1df in raise () from /lib/i386-linux-gnu/libc.so.6
# #2  0x400be825 in abort () from /lib/i386-linux-gnu/libc.so.6
# #3  0x08067030 in Py_FatalError (
#     msg=0xbfed7a20 "/home/p/Python-3.4.1/Modules/_elementtree.c:1436 object at 0x405743ec has negative ref count -606348326")
#     at Python/pythonrun.c:2633
# #4  0x080f1374 in _Py_NegativeRefcount (fname=0x40646100 "/home/p/Python-3.4.1/Modules/_elementtree.c", lineno=1436, 
#     op=<unknown at remote 0x405743ec>) at Objects/object.c:203
# #5  0x4063dfa6 in element_remove (self=0x40583c34, args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
#     at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# (gdb) frame 5
# #5  0x4063dfa6 in element_remove (self=0x40583c34, args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
#     at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# 1436        Py_DECREF(self->extra->children[i]);
# (gdb) print i
# $1 = 1
# (gdb) print *(PyObject*)self->extra->children
# $3 = {_ob_next = 0x4057437c, _ob_prev = 0x405743ec, ob_refcnt = 1079461180, ob_type = 0x4057461c}
# 
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:1436 object at 0x405743ec has negative ref count -606348326
# 
# "self->extra->children" is cleared in custom __eq__ method. Py_DECREF handles
# stale pointer. Use after free.
#

----------
files: poc_elt_remove.py
messages: 242307
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in Element.remove
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39242/poc_elt_remove.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24093>
_______________________________________