Message103333
I've noticed that set_lookkey (in Objects/setobject.c) does some unsafe things:
Objects/setobject.c:
> if (entry->hash == hash) {
> startkey = entry->key;
> Py_INCREF(startkey);
> cmp = PyObject_RichCompareBool(startkey, key, Py_EQ);
> Py_DECREF(startkey);
At this point, object pointed to by startkey could be deallocated, and then new object may be allocated at the same address.
> if (cmp < 0)
> return NULL;
> if (table == so->table && entry->key == startkey) {
At this point, the table may be reallocated at the same address but with different (possibly smaller) size, so entry->key may be in deallocated memory. Also, entry->key may be equal to startkey but still point to an object other than one key was compared with.
> if (cmp > 0)
> return entry;
> }
> else {
> /* The compare did major nasty stuff to the
> * set: start over.
> */
> return set_lookkey(so, key, hash);
This can lead to infinite recursion.
> } |
|
Date |
User |
Action |
Args |
2010-04-16 15:43:35 | abacabadabacaba | set | recipients:
+ abacabadabacaba |
2010-04-16 15:43:35 | abacabadabacaba | set | messageid: <1271432615.46.0.0442636661618.issue8420@psf.upfronthosting.co.za> |
2010-04-16 15:43:34 | abacabadabacaba | link | issue8420 messages |
2010-04-16 15:43:33 | abacabadabacaba | create | |
|