C.__name__ = 'D.E'
self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
+ def test_evil_type_name(self):
+ # A badly placed Py_DECREF in type_set_name led to arbitrary code
+ # execution while the type structure was not in a sane state, and a
+ # possible segmentation fault as a result. See bug #16447.
+ class Nasty(str):
+ def __del__(self):
+ C.__name__ = "other"
+
+ class C(object):
+ pass
+
+ C.__name__ = Nasty("abc")
+ C.__name__ = "normal"
+
def test_subclass_right_op(self):
# Testing correct dispatch of subclass overloading __r<op>__...
Core and Builtins
-----------------
+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a
+ class.
+
- Issue #17610: Don't rely on non-standard behavior of the C qsort() function.
Library
type_set_name(PyTypeObject *type, PyObject *value, void *context)
{
PyHeapTypeObject* et;
+ PyObject *tmp;
if (!(type->tp_flags & Py_TPFLAGS_HEAPTYPE)) {
PyErr_Format(PyExc_TypeError,
Py_INCREF(value);
- Py_DECREF(et->ht_name);
+ /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name
+ value. (Bug #16447.) */
+ tmp = et->ht_name;
et->ht_name = value;
type->tp_name = PyString_AS_STRING(value);
+ Py_DECREF(tmp);
return 0;
}
projects / thirdparty / Python / cpython.git / commitdiff
