From: Georg Brandl Date: Mon, 18 Jul 2005 07:24:37 +0000 (+0000) Subject: backporting fix by tim_one: X-Git-Tag: v2.4.2c1~129 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f944144855e431e6f74a743c9fc6afd7279f149;p=thirdparty%2FPython%2Fcpython.git backporting fix by tim_one: """ SF bug #1238681: freed pointer is used in longobject.c:long_pow(). In addition, long_pow() skipped a necessary (albeit extremely unlikely to trigger) error check when converting an int modulus to long. Alas, I was unable to write a test case that crashed due to either cause. """ --- diff --git a/Misc/NEWS b/Misc/NEWS index 875c148a91cf..fff4715a0593 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -12,6 +12,8 @@ What's New in Python 2.4.2a Core and builtins ----------------- +- SF bug #1238681: freed pointer is used in longobject.c:long_pow(). + - SF bug #1185883: Python's small-object memory allocator took over a block managed by the platform C library whenever a realloc specified a small new size. However, there's no portable way to know then how diff --git a/Objects/longobject.c b/Objects/longobject.c index 11a7024e4543..ced72e108b3e 100644 --- a/Objects/longobject.c +++ b/Objects/longobject.c @@ -2360,8 +2360,11 @@ long_pow(PyObject *v, PyObject *w, PyObject *x) c = (PyLongObject *)x; Py_INCREF(x); } - else if (PyInt_Check(x)) + else if (PyInt_Check(x)) { c = (PyLongObject *)PyLong_FromLong(PyInt_AS_LONG(x)); + if (c == NULL) + goto Error; + } else if (x == Py_None) c = NULL; else { @@ -2511,14 +2514,14 @@ long_pow(PyObject *v, PyObject *w, PyObject *x) } /* fall through */ Done: - Py_XDECREF(a); - Py_XDECREF(b); - Py_XDECREF(c); - Py_XDECREF(temp); if (b->ob_size > FIVEARY_CUTOFF) { for (i = 0; i < 32; ++i) Py_XDECREF(table[i]); } + Py_DECREF(a); + Py_DECREF(b); + Py_XDECREF(c); + Py_XDECREF(temp); return (PyObject *)z; }