Title: dictobject.c:dictresize() vulnerability
Type: Stage:
Components: Interpreter Core Versions:
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: arigo, tim.peters
Priority: normal Keywords:

Created on 2006-03-22 15:47 by arigo, last changed 2006-10-09 20:29 by tim.peters. This issue is now closed.

File name Uploaded Description Edit arigo, 2006-03-22 15:47 Crashing example (all Python versions)
dictresize-fix-1.diff arigo, 2006-03-22 16:32 proposed fix
Messages (5)
msg27842 - (view) Author: Armin Rigo (arigo) * (Python committer) Date: 2006-03-22 15:47
We thought we squashed the last of the
modify-the-dict-from-a-custom-eq kind of bugs long ago. 
Too bad.
msg27843 - (view) Author: Armin Rigo (arigo) * (Python committer) Date: 2006-03-22 16:32
Logged In: YES 

The cause of the bug is that if oldtable == mp->ma_smalltable
then pure Python code can mangle with mp->ma_smalltable while
it is being walked on.  A simple fix would be to always make
a copy of the oldtable if it is mp->ma_smalltable (not only
if oldtable == newtable).

Attached a more efficient fix, which should also make dict
resizing somehow faster.  It requires yet another version
of the lookup algorithm, though.  It's a very simple version
that assumes that all items are different and the dict
contains no dummy entries.
msg27844 - (view) Author: Armin Rigo (arigo) * (Python committer) Date: 2006-06-01 13:20
Logged In: YES 

Fixed by patch #1497053.
msg27845 - (view) Author: Tim Peters (tim.peters) * (Python committer) Date: 2006-06-01 15:54
Logged In: YES 

Patch 1497053 was checked in as revision 46589 of the trunk
for Python 2.5, so closing this.  I doubt it's worth the
effort to backport to 2.4.
msg27846 - (view) Author: Tim Peters (tim.peters) * (Python committer) Date: 2006-10-09 20:29
Logged In: YES 

I backported the parts of rev 46589 relevant to this bug to
the 2.4 maint branch, as rev 52256, for Python 2.4.4.
Date User Action Args
2006-03-22 15:47:18arigocreate