[New-bugs-announce] [issue24094] Use after free during json encoding (PyType_IsSubtype)

paul report at bugs.python.org
Fri May 1 16:00:58 CEST 2015 

New submission from paul:

# Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0)
#     at /home/p/Python-3.4.1/Modules/_json.c:1540
# 1540            items = PyMapping_Keys(dct);
# (gdb) n
# 1541            if (items == NULL)
# (gdb) print *items
# $1 = {_ob_next = 0x405c8af4, _ob_prev = 0x4059006c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>}
# (gdb) n
# 1543            if (!PyList_Check(items)) {
# (gdb) n
# 1547            if (PyList_Sort(items) < 0)
# (gdb) n
# 1549            nitems = PyList_GET_SIZE(items);
# (gdb) n
# 1550            for (i = 0; i < nitems; i++) {
# (gdb) print nitems
# $2 = 1122
# (gdb) n
# 1552                key = PyList_GET_ITEM(items, i);
# (gdb) n
# 1553                value = PyDict_GetItem(dct, key);
# (gdb) print *key
# $3 = {_ob_next = 0x4058eedc, _ob_prev = 0x40590d1c, ob_refcnt = 1, ob_type = 0x405afd1c}
# (gdb) n
# 
# Program received signal SIGSEGV, Segmentation fault.
# 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292
# 1292        mro = a->tp_mro;
# (gdb) bt
# #0  0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292
# #1  0x080f22d6 in do_richcompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:643
# #2  0x080f263d in PyObject_RichCompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:701
# #3  0x080f26ce in PyObject_RichCompareBool (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:723
# #4  0x080df7b5 in lookdict (mp=0x405c8b34, key=<unknown at remote 0x4059006c>, hash=1337, value_addr=0xbfc40200)
#     at Objects/dictobject.c:485
# #5  0x080e145d in PyDict_GetItem (op=<D at remote 0x405c8b34>, key=<unknown at remote 0x4059006c>) at Objects/dictobject.c:1095
# #6  0x405bf6f9 in encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0)
# 
# Deleting the object in __hash__() method triggers an use after free in PyType_IsSubtype.

----------
files: poc_enc_dict1.py
messages: 242308
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free during json encoding (PyType_IsSubtype)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39243/poc_enc_dict1.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24094>
_______________________________________

More information about the New-bugs-announce mailing list