This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pkt
Recipients pkt
Date 2015-05-01.14:11:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1430489480.16.0.0840319770251.issue24099@psf.upfronthosting.co.za>
In-reply-to
Content
# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
#     ...
#     newitem = PyList_GET_ITEM(heap, pos);
#     Py_INCREF(newitem);
#     /* Follow the path to the root, moving parents down until finding
#        a place newitem fits. */
#     while (pos > startpos){
#         parentpos = (pos - 1) >> 1;
# 1       parent = PyList_GET_ITEM(heap, parentpos);
# 2       cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
#         if (cmp == -1) {
#             Py_DECREF(newitem);
#             return -1;
#         }
# 3       if (size != PyList_GET_SIZE(heap)) {
#             Py_DECREF(newitem);
#             PyErr_SetString(PyExc_RuntimeError,
#                             "list changed size during iteration");
#             return -1;
#         }
#         if (cmp == 0)
#             break;
# 4       Py_INCREF(parent);
#         ...
# 
# 1. parent isn't protected (refcnt==1)
# 2. custom compare function deletes all objects in "heap" and repopulates it with
#    fresh instances. "parent" is freed
# 3. check is ineffective. Heap was mutated while preserving its size
# 4. use after free. Crash will manifest itself later.
History
Date User Action Args
2015-05-01 14:11:20pktsetrecipients: + pkt
2015-05-01 14:11:20pktsetmessageid: <1430489480.16.0.0840319770251.issue24099@psf.upfronthosting.co.za>
2015-05-01 14:11:20pktlinkissue24099 messages
2015-05-01 14:11:20pktcreate