[issue24407] Use after free in PyDict_merge
paul
report at bugs.python.org
Mon Jun 8 13:57:05 CEST 2015
New submission from paul:
# PyDict_Merge:
#
# 1 for (i = 0, n = DK_SIZE(other->ma_keys); i < n; i++) {
# ...
# 3 entry = &other->ma_keys->dk_entries[i];
# ...
# 2 if (insertdict(mp, entry->me_key,
# entry->me_hash,
# value) != 0)
# return -1;
# ...
# }
#
# 1. n is set once
# 2. it's possible to run a custom __eq__ method from inside the insertdict.
# __eq__ clears the "other" dict. "n" variables is now out of date
# 3. out of bounds read
#
# CRASH:
# ------
#
# * thread #1: tid = 27715, 0x080d1c1d python`insertdict(mp=0xb71d66f4, key=0x61682044, hash=543582496, value=0xb71d6664) + 132 at dictobject.c:819, name = 'python', stop reason = invalid address (fault address: 0x61682050)
# frame #0: 0x080d1c1d python`insertdict(mp=0xb71d66f4, key=0x61682044, hash=543582496, value=0xb71d6664) + 132 at dictobject.c:819
# 816 if (ep == NULL) {
# 817 return -1;
# 818 }
# -> 819 assert(PyUnicode_CheckExact(key) || mp->ma_keys->dk_lookup == lookdict);
# 820 Py_INCREF(value);
# 821 MAINTAIN_TRACKING(mp, key, value);
# 822 old_value = *value_addr;
#
----------
files: dict_merge.py
messages: 245001
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in PyDict_merge
type: crash
versions: Python 3.5
Added file: http://bugs.python.org/file39659/dict_merge.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24407>
_______________________________________
More information about the Python-bugs-list
mailing list