This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients serhiy.storchaka, vstinner
Date 2014-01-08.14:33:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1389191622.9.0.0763750909735.issue20191@psf.upfronthosting.co.za>
In-reply-to
Content 
$ ./python -c 'import resource; resource.prlimit(-3, 11, "\udbff\udfff")'
Erreur de segmentation (core dumped)

The problem is a generic problem with PyArg_Parse functions and "(O)" format. With this format, the caller does not hold a reference to the object nor the tuple. If arbitrary Python code is executed before the object is used, the object pointer becomes a dangling pointer.

resource.prlimit() uses:

    if (!PyArg_ParseTuple(args, _Py_PARSE_PID "i|(OO):prlimit",
                          &pid, &resource, &curobj, &maxobj))
        return NULL;

In this issue, it's worse: the string is casted to a sequence, and each string character becomes a temporary substring of 1 character. The problem is that PyArg_ParseTuple() nor resource_prlimit() hold the reference, and so the curobj and maxobj are dangling pointer.

Options:

- raise an error if the second parameter is not a tuple: implement the check in prlimit() or i PyArg_ParseTuple()?
- hold a reference to the sequence, to curobj and to maxobj instead of using borrowed references
History
Date User Action Args
2014-01-08 14:33:42vstinnersetrecipients: + vstinner, serhiy.storchaka
2014-01-08 14:33:42vstinnersetmessageid: <1389191622.9.0.0763750909735.issue20191@psf.upfronthosting.co.za>
2014-01-08 14:33:42vstinnerlinkissue20191 messages
2014-01-08 14:33:42vstinnercreate