New submission from paul: # Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0) # at /home/p/Python-3.4.1/Modules/_json.c:1540 # 1540 items = PyMapping_Keys(dct); # (gdb) n # 1541 if (items == NULL) # (gdb) print *items # $1 = {_ob_next = 0x405c8af4, _ob_prev = 0x4059006c, ob_refcnt = 2, ob_type = 0x830e1c0 <PyList_Type>} # (gdb) n # 1543 if (!PyList_Check(items)) { # (gdb) n # 1547 if (PyList_Sort(items) < 0) # (gdb) n # 1549 nitems = PyList_GET_SIZE(items); # (gdb) n # 1550 for (i = 0; i < nitems; i++) { # (gdb) print nitems # $2 = 1122 # (gdb) n # 1552 key = PyList_GET_ITEM(items, i); # (gdb) n # 1553 value = PyDict_GetItem(dct, key); # (gdb) print *key # $3 = {_ob_next = 0x4058eedc, _ob_prev = 0x40590d1c, ob_refcnt = 1, ob_type = 0x405afd1c} # (gdb) n # # Program received signal SIGSEGV, Segmentation fault. # 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292 # 1292 mro = a->tp_mro; # (gdb) bt # #0 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 <PyLong_Type>) at Objects/typeobject.c:1292 # #1 0x080f22d6 in do_richcompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:643 # #2 0x080f263d in PyObject_RichCompare (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:701 # #3 0x080f26ce in PyObject_RichCompareBool (v=1337, w=<unknown at remote 0x4059006c>, op=2) at Objects/object.c:723 # #4 0x080df7b5 in lookdict (mp=0x405c8b34, key=<unknown at remote 0x4059006c>, hash=1337, value_addr=0xbfc40200) # at Objects/dictobject.c:485 # #5 0x080e145d in PyDict_GetItem (op=<D at remote 0x405c8b34>, key=<unknown at remote 0x4059006c>) at Objects/dictobject.c:1095 # #6 0x405bf6f9 in encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=<D at remote 0x405c8b34>, indent_level=0) # # Deleting the object in __hash__() method triggers an use after free in PyType_IsSubtype.
---------- files: poc_enc_dict1.py messages: 242308 nosy: pkt priority: normal severity: normal status: open title: Use after free during json encoding (PyType_IsSubtype) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39243/poc_enc_dict1.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24094> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com