classification
Title: PyArg_ParseTuple: refcount in nested tuples
Type: Stage:
Components: Interpreter Core Versions:
process
Status: closed Resolution: duplicate
Dependencies: Superseder:
Assigned To: Nosy List: arigo, georg.brandl
Priority: normal Keywords:

Created on 2010-12-06 13:43 by arigo, last changed 2010-12-06 14:14 by arigo. This issue is now closed.

Files
File name Uploaded Description Edit
crasher.py arigo, 2010-12-06 13:43 A new crasher
Messages (3)
msg123466 - (view) Author: Armin Rigo (arigo) * (Python committer) Date: 2010-12-06 13:43
There is an issue in PyArg_ParseTuple() when using nested tuple arguments: it accepts a pure Python tuple-like argument, but it cannot work properly because PyArg_ParseTuple() is supposed to return borrowed references to the objects.  For example, here is an attack on functools.partial().__setstate__(), which is written using

    PyArg_ParseTuple(args, "(OOOO)", ...)

Running crasher.py crashes a debug build of Python, for me with Fatal Python error: _functoolsmodule.c:158 object at 0x9011748 has negative ref count -606348322.

The only way I can see to fix the crasher is to restrict the kind of argument that can be passed to mean a nested tuple.  To be paranoid, it should only allow real tuples; a bit more flexibly, lists probably work ok too.
msg123467 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-12-06 14:04
Duplicate of #6083?
msg123468 - (view) Author: Armin Rigo (arigo) * (Python committer) Date: 2010-12-06 14:14
Indeed.
History
Date User Action Args
2010-12-06 14:14:37arigosetstatus: open -> closed
resolution: duplicate
messages: + msg123468
2010-12-06 14:04:15georg.brandlsetnosy: + georg.brandl
messages: + msg123467
2010-12-06 13:43:16arigocreate