[Python-Dev] [Python-checkins] cpython (2.7): Issue #16447: Fix potential segfault when setting __name__ on a class.
Eli Bendersky
eliben at gmail.com
Sat Apr 13 16:25:33 CEST 2013
Test case?
On Sat, Apr 13, 2013 at 7:19 AM, mark.dickinson
<python-checkins at python.org>wrote:
> http://hg.python.org/cpython/rev/d5e5017309b1
> changeset: 83283:d5e5017309b1
> branch: 2.7
> user: Mark Dickinson <dickinsm at gmail.com>
> date: Sat Apr 13 15:19:05 2013 +0100
> summary:
> Issue #16447: Fix potential segfault when setting __name__ on a class.
>
> files:
> Lib/test/test_descr.py | 14 ++++++++++++++
> Misc/NEWS | 3 +++
> Objects/typeobject.c | 6 +++++-
> 3 files changed, 22 insertions(+), 1 deletions(-)
>
>
> diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
> --- a/Lib/test/test_descr.py
> +++ b/Lib/test/test_descr.py
> @@ -4136,6 +4136,20 @@
> C.__name__ = 'D.E'
> self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
>
> + def test_evil_type_name(self):
> + # A badly placed Py_DECREF in type_set_name led to arbitrary code
> + # execution while the type structure was not in a sane state, and
> a
> + # possible segmentation fault as a result. See bug #16447.
> + class Nasty(str):
> + def __del__(self):
> + C.__name__ = "other"
> +
> + class C(object):
> + pass
> +
> + C.__name__ = Nasty("abc")
> + C.__name__ = "normal"
> +
> def test_subclass_right_op(self):
> # Testing correct dispatch of subclass overloading __r<op>__...
>
> diff --git a/Misc/NEWS b/Misc/NEWS
> --- a/Misc/NEWS
> +++ b/Misc/NEWS
> @@ -17,6 +17,9 @@
> Core and Builtins
> -----------------
>
> +- Issue #16447: Fixed potential segmentation fault when setting __name__
> on a
> + class.
> +
> - Issue #17610: Don't rely on non-standard behavior of the C qsort()
> function.
>
> Library
> diff --git a/Objects/typeobject.c b/Objects/typeobject.c
> --- a/Objects/typeobject.c
> +++ b/Objects/typeobject.c
> @@ -225,6 +225,7 @@
> type_set_name(PyTypeObject *type, PyObject *value, void *context)
> {
> PyHeapTypeObject* et;
> + PyObject *tmp;
>
> if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) {
> PyErr_Format(PyExc_TypeError,
> @@ -253,10 +254,13 @@
>
> Py_INCREF(value);
>
> - Py_DECREF(et->ht_name);
> + /* Wait until et is a sane state before Py_DECREF'ing the old
> et->ht_name
> + value. (Bug #16447.) */
> + tmp = et->ht_name;
> et->ht_name = value;
>
> type->tp_name = PyString_AS_STRING(value);
> + Py_DECREF(tmp);
>
> return 0;
> }
>
> --
> Repository URL: http://hg.python.org/cpython
>
> _______________________________________________
> Python-checkins mailing list
> Python-checkins at python.org
> http://mail.python.org/mailman/listinfo/python-checkins
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130413/322c51a7/attachment.html>
More information about the Python-Dev
mailing list