Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(145171)

#28963: Use-after-free in _asynciomodule.c

Can't Edit
Can't Publish+Mail
Start Review
Created:
2 years, 7 months ago by nedwilliamson
Modified:
2 years, 7 months ago
Reviewers:
songofacandy
CC:
haypo, ned.deily, inada.naoki, Yury Selivanov, Ned Williamson
Visibility:
Public.

Patch Set 1 #

Total comments: 1
Unified diffs Side-by-side diffs Delta from patch set Stats Patch
Lib/test/test_asyncio/test_futures.py View 1 chunk +29 lines, -0 lines 0 comments Download
Modules/_asynciomodule.c View 1 chunk +1 line, -1 line 1 comment Download

Messages

Total messages: 1
inada.naoki
2 years, 7 months ago #1
http://bugs.python.org/review/28963/diff/19452/Modules/_asynciomodule.c
File Modules/_asynciomodule.c (right):

http://bugs.python.org/review/28963/diff/19452/Modules/_asynciomodule.c#newco...
Modules/_asynciomodule.c:534: PyList_SET_ITEM(newlist, j, item);
PyObject_RichCompareBool() may append callbacks by evil __eq__ too.
In such case, newlist can overflow.

if (ret == 0) {
    if (j < len) {
        Py_INCREF(item);
        PyList_SET_ITEM(newlist, j, item);
    }
    else {
        if (PyList_Append(newlist, item))
            goto fail;
    }
}
Sign in to reply to this message.

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+