bpo-38588: Fix possible crashes in dict and list when calling PyObject_RichCompareBoo...

author Dong-hee Na <donghee.na92@gmail.com>

Tue, 31 Dec 2019 01:04:22 +0000 (10:04 +0900)

committer Pablo Galindo <Pablogsal@gmail.com>

Tue, 31 Dec 2019 01:04:22 +0000 (01:04 +0000)
author Dong-hee Na <donghee.na92@gmail.com>
Tue, 31 Dec 2019 01:04:22 +0000 (10:04 +0900)
committer Pablo Galindo <Pablogsal@gmail.com>
Tue, 31 Dec 2019 01:04:22 +0000 (01:04 +0000)
diff --git a/Lib/test/test_dict.py b/Lib/test/test_dict.py

index 5b513765f7b08af3a822c7d8398105784578ea71..de483ab552155a53c34b200cddd6529f9023d36b 100644 (file)
--- a/Lib/test/test_dict.py
+++ b/Lib/test/test_dict.py
@@ -1221,7 +1221,7 @@ class DictTest(unittest.TestCase):
          support.check_free_after_iterating(self, lambda d: iter(d.items()), dict)
  
      def test_equal_operator_modifying_operand(self):
-        # test fix for seg fault reported in issue 27945 part 3.
+        # test fix for seg fault reported in bpo-27945 part 3.
          class X():
              def __del__(self):
                  dict_b.clear()
@@ -1237,6 +1237,16 @@ class DictTest(unittest.TestCase):
          dict_b = {X(): X()}
          self.assertTrue(dict_a == dict_b)
  
+        # test fix for seg fault reported in bpo-38588 part 1.
+        class Y:
+            def __eq__(self, other):
+                dict_d.clear()
+                return True
+
+        dict_c = {0: Y()}
+        dict_d = {0: set()}
+        self.assertTrue(dict_c == dict_d)
+
      def test_fromkeys_operator_modifying_dict_operand(self):
          # test fix for seg fault reported in issue 27945 part 4a.
          class X(int):
diff --git a/Lib/test/test_list.py b/Lib/test/test_list.py

index b10a833033f1590226d052d33b553e04cba78893..6e3c4c109300e618fccabc8a37a914ea253b89c8 100644 (file)
--- a/Lib/test/test_list.py
+++ b/Lib/test/test_list.py
@@ -163,6 +163,31 @@ class ListTest(list_tests.CommonTest):
          with self.assertRaises(TypeError):
              (3,) + L([1,2])
  
+    def test_equal_operator_modifying_operand(self):
+        # test fix for seg fault reported in bpo-38588 part 2.
+        class X:
+            def __eq__(self,other) :
+                list2.clear()
+                return NotImplemented
+
+        class Y:
+            def __eq__(self, other):
+                list1.clear()
+                return NotImplemented
+
+        class Z:
+            def __eq__(self, other):
+                list3.clear()
+                return NotImplemented
+
+        list1 = [X()]
+        list2 = [Y()]
+        self.assertTrue(list1 == list2)
+
+        list3 = [Z()]
+        list4 = [1]
+        self.assertFalse(list3 == list4)
+
      @cpython_only
      def test_preallocation(self):
          iterable = [0] * 10
diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-12-29-19-13-54.bpo-38588.pgXnNS.rst b/Misc/NEWS.d/next/Core and Builtins/2019-12-29-19-13-54.bpo-38588.pgXnNS.rst

new file mode 100644 (file)

index 0000000..0b81085
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2019-12-29-19-13-54.bpo-38588.pgXnNS.rst
@@ -0,0 +1,2 @@
+Fix possible crashes in dict and list when calling
+:c:func:`PyObject_RichCompareBool`.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c

index 4afa19c8a0a90b155913aafd66c55bfdc87847db..87f88abbe53bd9fb98194d4173380a18180cb941 100644 (file)
--- a/Objects/dictobject.c
+++ b/Objects/dictobject.c
@@ -2777,9 +2777,11 @@ dict_equal(PyDictObject *a, PyDictObject *b)
                      return -1;
                  return 0;
              }
+            Py_INCREF(bval);
              cmp = PyObject_RichCompareBool(aval, bval, Py_EQ);
              Py_DECREF(key);
              Py_DECREF(aval);
+            Py_DECREF(bval);
              if (cmp <= 0)  /* error or not equal */
                  return cmp;
          }
diff --git a/Objects/listobject.c b/Objects/listobject.c

index 86690f764b7db4031bc2e8c3859d1153b5dce01d..abe2604573f95a040110559bfebf56419eac806f 100644 (file)
--- a/Objects/listobject.c
+++ b/Objects/listobject.c
@@ -2662,8 +2662,15 @@ list_richcompare(PyObject *v, PyObject *w, int op)
  
      /* Search for the first index where items are different */
      for (i = 0; i < Py_SIZE(vl) && i < Py_SIZE(wl); i++) {
+        PyObject *vitem = vl->ob_item[i];
+        PyObject *witem = wl->ob_item[i];
+
+        Py_INCREF(vitem);
+        Py_INCREF(witem);
          int k = PyObject_RichCompareBool(vl->ob_item[i],
                                           wl->ob_item[i], Py_EQ);
+        Py_DECREF(vitem);
+        Py_DECREF(witem);
          if (k < 0)
              return NULL;
          if (!k)
author	Dong-hee Na <donghee.na92@gmail.com>
	Tue, 31 Dec 2019 01:04:22 +0000 (10:04 +0900)
committer	Pablo Galindo <Pablogsal@gmail.com>
	Tue, 31 Dec 2019 01:04:22 +0000 (01:04 +0000)
Lib/test/test_dict.py		patch \| blob \| blame \| history
Lib/test/test_list.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Core and Builtins/2019-12-29-19-13-54.bpo-38588.pgXnNS.rst	[new file with mode: 0644]	patch \| blob
Objects/dictobject.c		patch \| blob \| blame \| history
Objects/listobject.c		patch \| blob \| blame \| history