From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 17 Nov 2008 23:27:02 +0000 (+0000)
Subject: backport the security fix part of r67246
X-Git-Tag: v2.4.6c1~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38ce9c294b00a615f78b8f03ff2cc60fdf0fc7c2;p=thirdparty%2FPython%2Fcpython.git

backport the security fix part of r67246
---

diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
index a31a9f0cdf7e..cd3d9526aad0 100644
--- a/Lib/test/test_descr.py
+++ b/Lib/test/test_descr.py
@@ -4087,6 +4087,24 @@ def notimplemented():
                 check(iexpr, c, N1)
                 check(iexpr, c, N2)
 
+def test_lost_getattr():
+    # issue 4230
+    import gc
+    class EvilGetattribute(object):
+        def __getattr__(self, name):
+            raise AttributeError(name)
+        def __getattribute__(self, name):
+            del EvilGetattribute.__getattr__
+            for i in range(5):
+                gc.collect()
+            raise AttributeError(name)
+
+    try:
+        # This used to segfault
+        EvilGetattribute().attr
+    except AttributeError:
+        pass
+
 def test_main():
     weakref_segfault() # Must be first, somehow
     wrapper_segfault()
@@ -4183,6 +4201,7 @@ def test_main():
     vicious_descriptor_nonsense()
     test_init()
     notimplemented()
+    test_lost_getattr()
 
     if verbose: print "All OK"
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 320e753ef568..3d6a8014a08f 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,9 @@ What's New in Python 2.4.6c1?
 Core and builtins
 -----------------
 
+- Issue #4230: Fix a crash when a class has a custom __getattr__ and an
+  __getattribute__ method that deletes the __getattr__ attribute.
+
 - Apply security patches from Apple. CVE-2008-2315.
 
 - Issue #2620: Overflow checking when allocating or reallocating memory
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index 295634c0a831..2618fb3ed285 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -4594,6 +4594,7 @@ slot_tp_getattr_hook(PyObject *self, PyObject *name)
 		tp->tp_getattro = slot_tp_getattro;
 		return slot_tp_getattro(self, name);
 	}
+	Py_INCREF(getattr);
 	getattribute = _PyType_Lookup(tp, getattribute_str);
 	if (getattribute == NULL ||
 	    (getattribute->ob_type == &PyWrapperDescr_Type &&
@@ -4606,6 +4607,7 @@ slot_tp_getattr_hook(PyObject *self, PyObject *name)
 		PyErr_Clear();
 		res = PyObject_CallFunction(getattr, "OO", self, name);
 	}
+	Py_DECREF(getattr);
 	return res;
 }