[Python-checkins] cpython (2.7): Add a crasher for the documented issue of calling "Py_DECREF(self->xxx)";
alex.gaynor
python-checkins at python.org
Sun Mar 4 19:10:31 CET 2012
http://hg.python.org/cpython/rev/e04e1f253ed8
changeset: 75392:e04e1f253ed8
branch: 2.7
parent: 75377:52ecec12c0ed
user: Armin Rigo <arigo at tunes.org>
date: Sun Mar 04 18:56:23 2012 +0100
summary:
Add a crasher for the documented issue of calling "Py_DECREF(self->xxx)";
files:
Lib/test/crashers/decref_before_assignment.py | 44 ++++++++++
1 files changed, 44 insertions(+), 0 deletions(-)
diff --git a/Lib/test/crashers/decref_before_assignment.py b/Lib/test/crashers/decref_before_assignment.py
new file mode 100644
--- /dev/null
+++ b/Lib/test/crashers/decref_before_assignment.py
@@ -0,0 +1,44 @@
+"""
+General example for an attack against code like this:
+
+ Py_DECREF(obj->attr); obj->attr = ...;
+
+here in Module/_json.c:scanner_init().
+
+Explanation: if the first Py_DECREF() calls either a __del__ or a
+weakref callback, it will run while the 'obj' appears to have in
+'obj->attr' still the old reference to the object, but not holding
+the reference count any more.
+
+Status: progress has been made replacing these cases, but there is an
+infinite number of such cases.
+"""
+
+import _json, weakref
+
+class Ctx1(object):
+ encoding = "utf8"
+ strict = None
+ object_hook = None
+ object_pairs_hook = None
+ parse_float = None
+ parse_int = None
+ parse_constant = None
+
+class Foo(unicode):
+ pass
+
+def delete_me(*args):
+ print scanner.encoding.__dict__
+
+class Ctx2(Ctx1):
+ @property
+ def encoding(self):
+ global wref
+ f = Foo("utf8")
+ f.abc = globals()
+ wref = weakref.ref(f, delete_me)
+ return f
+
+scanner = _json.make_scanner(Ctx1())
+scanner.__init__(Ctx2())
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list