Message 103333 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	abacabadabacaba
Recipients	abacabadabacaba
Date	2010-04-16.15:43:32
SpamBayes Score	0.0007128048
Marked as misclassified	No
Message-id	<1271432615.46.0.0442636661618.issue8420@psf.upfronthosting.co.za>
In-reply-to

Content
I've noticed that set_lookkey (in Objects/setobject.c) does some unsafe things: Objects/setobject.c: > if (entry->hash == hash) { > startkey = entry->key; > Py_INCREF(startkey); > cmp = PyObject_RichCompareBool(startkey, key, Py_EQ); > Py_DECREF(startkey); At this point, object pointed to by startkey could be deallocated, and then new object may be allocated at the same address. > if (cmp < 0) > return NULL; > if (table == so->table && entry->key == startkey) { At this point, the table may be reallocated at the same address but with different (possibly smaller) size, so entry->key may be in deallocated memory. Also, entry->key may be equal to startkey but still point to an object other than one key was compared with. > if (cmp > 0) > return entry; > } > else { > /* The compare did major nasty stuff to the > * set: start over. > */ > return set_lookkey(so, key, hash); This can lead to infinite recursion. > }

I've noticed that set_lookkey (in Objects/setobject.c) does some unsafe things:
Objects/setobject.c:
> if (entry->hash == hash) {
> 	startkey = entry->key;
> 	Py_INCREF(startkey);
> 	cmp = PyObject_RichCompareBool(startkey, key, Py_EQ);
> 	Py_DECREF(startkey);
At this point, object pointed to by startkey could be deallocated, and then new object may be allocated at the same address.
> 	if (cmp < 0)
> 		return NULL;
> 	if (table == so->table && entry->key == startkey) {
At this point, the table may be reallocated at the same address but with different (possibly smaller) size, so entry->key may be in deallocated memory. Also, entry->key may be equal to startkey but still point to an object other than one key was compared with.
> 		if (cmp > 0)
> 			return entry;
> 	}
> 	else {
> 		/* The compare did major nasty stuff to the
> 		 * set:  start over.
> 		 */
> 		return set_lookkey(so, key, hash);
This can lead to infinite recursion.
> 	}

History
Date	User	Action	Args
2010-04-16 15:43:35	abacabadabacaba	set	recipients: + abacabadabacaba
2010-04-16 15:43:35	abacabadabacaba	set	messageid: <1271432615.46.0.0442636661618.issue8420@psf.upfronthosting.co.za>
2010-04-16 15:43:34	abacabadabacaba	link	issue8420 messages
2010-04-16 15:43:33	abacabadabacaba	create