Message207686
$ ./python -c 'import resource; resource.prlimit(-3, 11, "\udbff\udfff")'
Erreur de segmentation (core dumped)
The problem is a generic problem with PyArg_Parse functions and "(O)" format. With this format, the caller does not hold a reference to the object nor the tuple. If arbitrary Python code is executed before the object is used, the object pointer becomes a dangling pointer.
resource.prlimit() uses:
if (!PyArg_ParseTuple(args, _Py_PARSE_PID "i|(OO):prlimit",
&pid, &resource, &curobj, &maxobj))
return NULL;
In this issue, it's worse: the string is casted to a sequence, and each string character becomes a temporary substring of 1 character. The problem is that PyArg_ParseTuple() nor resource_prlimit() hold the reference, and so the curobj and maxobj are dangling pointer.
Options:
- raise an error if the second parameter is not a tuple: implement the check in prlimit() or i PyArg_ParseTuple()?
- hold a reference to the sequence, to curobj and to maxobj instead of using borrowed references |
|
Date |
User |
Action |
Args |
2014-01-08 14:33:42 | vstinner | set | recipients:
+ vstinner, serhiy.storchaka |
2014-01-08 14:33:42 | vstinner | set | messageid: <1389191622.9.0.0763750909735.issue20191@psf.upfronthosting.co.za> |
2014-01-08 14:33:42 | vstinner | link | issue20191 messages |
2014-01-08 14:33:42 | vstinner | create | |
|