[Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.

mark.dickinson python-checkins at python.org
Sat Apr 13 16:19:27 CEST 2013 

http://hg.python.org/cpython/rev/d5e5017309b1
changeset:   83283:d5e5017309b1
branch:      2.7
user:        Mark Dickinson <dickinsm at gmail.com>
date:        Sat Apr 13 15:19:05 2013 +0100
summary:
  Issue #16447: Fix potential segfault when setting __name__ on a class.

files:
  Lib/test/test_descr.py |  14 ++++++++++++++
  Misc/NEWS              |   3 +++
  Objects/typeobject.c   |   6 +++++-
  3 files changed, 22 insertions(+), 1 deletions(-)


diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
--- a/Lib/test/test_descr.py
+++ b/Lib/test/test_descr.py
@@ -4136,6 +4136,20 @@
         C.__name__ = 'D.E'
         self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
 
+    def test_evil_type_name(self):
+        # A badly placed Py_DECREF in type_set_name led to arbitrary code
+        # execution while the type structure was not in a sane state, and a
+        # possible segmentation fault as a result.  See bug #16447.
+        class Nasty(str):
+            def __del__(self):
+                C.__name__ = "other"
+
+        class C(object):
+            pass
+
+        C.__name__ = Nasty("abc")
+        C.__name__ = "normal"
+
     def test_subclass_right_op(self):
         # Testing correct dispatch of subclass overloading __r<op>__...
 
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -17,6 +17,9 @@
 Core and Builtins
 -----------------
 
+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a
+  class.
+
 - Issue #17610: Don't rely on non-standard behavior of the C qsort() function.
 
 Library
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -225,6 +225,7 @@
 type_set_name(PyTypeObject *type, PyObject *value, void *context)
 {
     PyHeapTypeObject* et;
+    PyObject *tmp;
 
     if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) {
         PyErr_Format(PyExc_TypeError,
@@ -253,10 +254,13 @@
 
     Py_INCREF(value);
 
-    Py_DECREF(et->ht_name);
+    /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name
+       value.  (Bug #16447.)  */
+    tmp = et->ht_name;
     et->ht_name = value;
 
     type->tp_name = PyString_AS_STRING(value);
+    Py_DECREF(tmp);
 
     return 0;
 }

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list