This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Use after free in Element.extend (1)
Type: crash Stage: resolved
Components: Extension Modules, XML Versions: Python 3.4, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: Arfrever, christian.heimes, eli.bendersky, pkt, python-dev, scoder, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2015-05-01 13:56 by pkt, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
poc_elt_extend1.py pkt, 2015-05-01 13:56
etree_crashes.patch serhiy.storchaka, 2015-05-02 20:34 review
Messages (3)
msg242305 - (view) Author: paul (pkt) Date: 2015-05-01 13:56 
# 1055        for (i = 0; i < seqlen; i++) {
# (gdb) n
# 1056            PyObject* element = PySequence_Fast_GET_ITEM(seq, i);
# (gdb) n
# 1057            if (!PyObject_IsInstance(element, (PyObject *)&Element_Type)) {
# (gdb) print *element
# $19 = {_ob_next = 0x4060e6fc, _ob_prev = 0x4056cd8c, ob_refcnt = 1, ob_type = 0x406de3e4}
# (gdb) n
# 1066            if (element_add_subelement(self, element) < 0) {
# (gdb) print *element
# $20 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb}
# 
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:267 object at 0x4056c4cc has negative ref count -606348326
# 
# "element" is removed in __getattribute__ method.
msg242430 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-05-02 20:34 
Here is a patch that fixes issue24091, issue24092, issue24093, and several other similar bugs.
msg243489 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-05-18 15:34 
New changeset 34523e53a342 by Serhiy Storchaka in branch '2.7':
Issue #24091: Fixed various crashes in corner cases in cElementTree.
https://hg.python.org/cpython/rev/34523e53a342

New changeset 157c4afca186 by Serhiy Storchaka in branch '3.4':
Issue #24091: Fixed various crashes in corner cases in C implementation of
https://hg.python.org/cpython/rev/157c4afca186

New changeset a8b8d1b211fe by Serhiy Storchaka in branch 'default':
Issue #24091: Fixed various crashes in corner cases in C implementation of
https://hg.python.org/cpython/rev/a8b8d1b211fe
History
Date User Action Args
2022-04-11 14:58:16adminsetgithub: 68279
2015-05-19 12:51:10serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2015-05-18 15:34:13python-devsetnosy: + python-dev
messages: + msg243489
2015-05-03 06:43:47Arfreversetnosy: + Arfrever
2015-05-02 20:36:29serhiy.storchakalinkissue24093 superseder
2015-05-02 20:36:24serhiy.storchakalinkissue24092 superseder
2015-05-02 20:34:44serhiy.storchakasetfiles: + etree_crashes.patch
versions: + Python 3.5
messages: + msg242430

assignee: serhiy.storchaka
keywords: + patch
stage: patch review
2015-05-01 14:12:23christian.heimessetnosy: + christian.heimes
2015-05-01 14:00:46serhiy.storchakasetnosy: + scoder, eli.bendersky, serhiy.storchaka
components: + Extension Modules, XML
2015-05-01 13:56:07pktcreate