classification
Title: PyUnicode_Resize cannot resize shared unicode object
Type: Stage:
Components: Interpreter Core Versions: Python 2.5
process
Status: closed Resolution: invalid
Dependencies: Superseder:
Assigned To: Nosy List: doerwalter, ocean-city (2)
Priority: normal Keywords patch

Created on 2006-05-24 18:24 by ocean-city, last changed 2006-05-26 15:07 by doerwalter.

Messages (2)
msg50351 - (view) Author: Hirokazu Yamamoto (ocean-city) Date: 2006-05-24 18:24 
I found following code fails.

    PyUnicodeObject *v1 = _PyUnicode_New(0);
    PyUnicodeObject *v2 = _PyUnicode_New(0);

    _PyUnicode_Resize(&v1, 1);

    Py_DECREF(v1);
    Py_DECREF(v2);

Error message is...

SystemError:
E:\python-dev\trunk\Objects\unicodeobject.c:335: bad
argument to internal function

This happens because _PyUnicode_New(0) returns
empty_unicode, and its ob_refcnt becomes 2 on second
call. I think refcnt check bellow is not needed. Is
this right fix?

Index: Objects/unicodeobject.c
===================================================================
--- Objects/unicodeobject.c	(revision 46192)
+++ Objects/unicodeobject.c	(working copy)
@@ -331,7 +331,7 @@
 	return -1;
     }
     v = (PyUnicodeObject *)*unicode;
-    if (v == NULL || !PyUnicode_Check(v) ||
v->ob_refcnt != 1 || length < 0) {
+    if (v == NULL || !PyUnicode_Check(v) || length < 0) {
 	PyErr_BadInternalCall();
 	return -1;
     }
msg50352 - (view) Author: Walter Dörwald (doerwalter) Date: 2006-05-26 15:07 
Logged In: YES 
user_id=89016

This patch opens the door for hard to detect bugs: What if
PyUnicode_Resize() gets passed an object that is *not* one
of the preallocated size 0 or size 1 strings, but has a
refcount > 1? In this case your code falls through to
unicode_resize() which happily modifies an immutable shared
object.
History
Date User Action Args
2006-05-24 18:24:50ocean-citycreate