[issue24099] Use after free in siftdown (1)
Changes by Raymond Hettinger raymond.hettin...@gmail.com: -- resolution: - fixed status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Roundup Robot added the comment: New changeset d356e68de236 by Raymond Hettinger in branch '2.7': Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq. https://hg.python.org/cpython/rev/d356e68de236 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Roundup Robot added the comment: New changeset 813854f49f9d by Raymond Hettinger in branch '3.4': Issues #24099, #24100, and #24101: Fix free-after-use bug in heapq. https://hg.python.org/cpython/rev/813854f49f9d -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
New submission from paul:
# _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos)
# ...
# newitem = PyList_GET_ITEM(heap, pos);
# Py_INCREF(newitem);
# /* Follow the path to the root, moving parents down until finding
#a place newitem fits. */
# while (pos startpos){
# parentpos = (pos - 1) 1;
# 1 parent = PyList_GET_ITEM(heap, parentpos);
# 2 cmp = PyObject_RichCompareBool(newitem, parent, Py_LT);
# if (cmp == -1) {
# Py_DECREF(newitem);
# return -1;
# }
# 3 if (size != PyList_GET_SIZE(heap)) {
# Py_DECREF(newitem);
# PyErr_SetString(PyExc_RuntimeError,
# list changed size during iteration);
# return -1;
# }
# if (cmp == 0)
# break;
# 4 Py_INCREF(parent);
# ...
#
# 1. parent isn't protected (refcnt==1)
# 2. custom compare function deletes all objects in heap and repopulates it
with
#fresh instances. parent is freed
# 3. check is ineffective. Heap was mutated while preserving its size
# 4. use after free. Crash will manifest itself later.
--
files: poc_siftdown1.py
messages: 242316
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in siftdown (1)
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39250/poc_siftdown1.py
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24099
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Raymond Hettinger raymond.hettin...@gmail.com: -- assignee: - rhettinger nosy: +rhettinger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
