[Python-checkins] closes bpo-34501: PyType_FromSpecWithBases: Check spec->name before dereferencing it. (GH-8930)

[Miss Islington (bot)]

https://github.com/python/cpython/commit/323a91bb3a2b5639637efc517fe3f30d3bc288e2
commit: 323a91bb3a2b5639637efc517fe3f30d3bc288e2
branch: 3.6
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2018-08-25T15:17:13-04:00
summary:

closes bpo-34501: PyType_FromSpecWithBases: Check spec->name before dereferencing it. (GH-8930)


Reported by Svace static analyzer.
(cherry picked from commit 5f79b50763d687aeeed8edcb4efcc7ac9f8fa186)

Co-authored-by: Alexey Izbyshev <izbyshev at ispras.ru>

files:
M Objects/typeobject.c

diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index bbc383a695b8..3468c64060df 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -2748,6 +2748,15 @@ PyType_FromSpecWithBases(PyType_Spec *spec, PyObject *bases)
     char *res_start = (char*)res;
     PyType_Slot *slot;
 
+    if (res == NULL)
+        return NULL;
+
+    if (spec->name == NULL) {
+        PyErr_SetString(PyExc_SystemError,
+                        "Type spec does not define the name field.");
+        goto fail;
+    }
+
     /* Set the type name and qualname */
     s = strrchr(spec->name, '.');
     if (s == NULL)
@@ -2755,8 +2764,6 @@ PyType_FromSpecWithBases(PyType_Spec *spec, PyObject *bases)
     else
         s++;
 
-    if (res == NULL)
-        return NULL;
     type = &res->ht_type;
     /* The flags must be initialized early, before the GC traverses us */
     type->tp_flags = spec->flags | Py_TPFLAGS_HEAPTYPE;
@@ -2766,8 +2773,6 @@ PyType_FromSpecWithBases(PyType_Spec *spec, PyObject *bases)
     res->ht_qualname = res->ht_name;
     Py_INCREF(res->ht_qualname);
     type->tp_name = spec->name;
-    if (!type->tp_name)
-        goto fail;
 
     /* Adjust for empty tuple bases */
     if (!bases) {