Ammar Askar added the comment: The proposed patch fixes this, not sure if a regression test is appropriate here.
Here's a more minimal example that demonstrates the exact problem: ``` class Index(): def __index__(self): global a a.append("2") return 999 a = bytearray(b"1") buf = buffer(a) s = buf[:1:Index()] # buf[Index():x:x] or buf[x:x:Index()] will also crash ``` The problem doesn't show up when doing buffer[x:Index()] or [Index():x] because this syntax calls the sq_slice method implemented by buffer object which is passed the indexes as numbers. However when using slice notation with three arguments, the equivilant of these lines of code is executed: ``` slice_object = slice(x, Index(), x) buffer[slice_object] ``` During the `buffer[slice_object]`, a call is made in the slice object to find the indexes of the slice. This calls into the __index__ method of the Index class which mutates the underlying storage behind the buffer. However, buffer's subscript method stores the underyling storage in a local variable before calling the GetIndices method (assuming the object won't be mutated) which means that when it returns, it returns a pointer to an older portion of memory. I took a quick look at listobject, stringobject, unicodeobject, tupleobject and bytearrayobject's subscript methods and it seems they all only access their members after the call to PySlice_GetIndices, so I think they should be fine. memoryview objects cause a `BufferError: Existing exports of data: object cannot be re-sized` error so Py3 should be fine. ---------- keywords: +needs review, patch nosy: +ammar2 stage: -> patch review Added file: http://bugs.python.org/file46046/buffer-use-after-free-fix.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue29028> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com