This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author sbt
Recipients amaury.forgeotdarc, jcea, pitrou, sbt, skrah
Date 2012-09-18.12:49:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1347972570.3.0.567630914084.issue15903@psf.upfronthosting.co.za>
In-reply-to
Content 
The current non-test uses of PyMemoryView_FromBuffer() are in _io.BufferedReader.read(), _io.BufferedWriter.write(), PyUnicode_Decode().

It looks like they can each be made to leak a memoryview that references a deallocated buffer.  (Maybe the answer is Don't Do That.)


import codecs, sys

def decode(buf):
    global view
    view = buf
    return codecs.latin_1_decode(buf)

def getregentry():
    return codecs.CodecInfo(name='foobar', decode=decode,
                            encode=codecs.latin_1_encode)

@codecs.register
def search_function(encoding):
    if encoding == 'foobar':
        return codecs.CodecInfo(*getregentry())

b = b'hello'.upper()
b.decode('foobar')
print(view.tobytes())                   # => b'HELLO'
del b
x = b'dump'.upper()
print(view.tobytes())                   # => b'DUMP\x00'



import io, sys

class File(io.RawIOBase):
    def readinto(self, buf):
        global view
        view = buf
        n = len(buf)
        buf[:] = b'x'*n
        return n

    def readable(self):
        return True

f = io.BufferedReader(File())
f.read(1)
print(view[:5].tobytes())       # => b'xxxxx'
del f
print(view[:5].tobytes())       # => b'\xdd\xdd\xdd\xdd\xdd'
History
Date User Action Args
2012-09-18 12:49:30sbtsetrecipients: + sbt, jcea, amaury.forgeotdarc, pitrou, skrah
2012-09-18 12:49:30sbtsetmessageid: <1347972570.3.0.567630914084.issue15903@psf.upfronthosting.co.za>
2012-09-18 12:49:29sbtlinkissue15903 messages
2012-09-18 12:49:29sbtcreate