From: Tim Peters <tim.peters@gmail.com>
Date: Sun, 17 Jul 2005 23:45:23 +0000 (+0000)
Subject: SF bug #1238681:  freed pointer is used in longobject.c:long_pow().
X-Git-Tag: v2.5a0~1580
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de7990b8af50e7f2ebf6776b948fdb48408ccb02;p=thirdparty%2FPython%2Fcpython.git

SF bug #1238681:  freed pointer is used in longobject.c:long_pow().

In addition, long_pow() skipped a necessary (albeit extremely unlikely
to trigger) error check when converting an int modulus to long.

Alas, I was unable to write a test case that crashed due to either
cause.

Bugfix candidate.
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 89583e094c58..27d27632fe83 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,8 @@ What's New in Python 2.5 alpha 1?
 Core and builtins
 -----------------
 
+- SF bug #1238681:  freed pointer is used in longobject.c:long_pow().
+
 - SF bug #1229429: PyObject_CallMethod failed to decrement some
   reference counts in some error exit cases.
 
diff --git a/Objects/longobject.c b/Objects/longobject.c
index 1f328dd35d07..ff5ba6f2eba0 100644
--- a/Objects/longobject.c
+++ b/Objects/longobject.c
@@ -2360,8 +2360,11 @@ long_pow(PyObject *v, PyObject *w, PyObject *x)
 		c = (PyLongObject *)x;
 		Py_INCREF(x);
 	}
-	else if (PyInt_Check(x))
+	else if (PyInt_Check(x)) {
 		c = (PyLongObject *)PyLong_FromLong(PyInt_AS_LONG(x));
+		if (c == NULL)
+			goto Error;
+	}
 	else if (x == Py_None)
 		c = NULL;
 	else {
@@ -2511,14 +2514,14 @@ long_pow(PyObject *v, PyObject *w, PyObject *x)
  	}
 	/* fall through */
  Done:
-	Py_XDECREF(a);
-	Py_XDECREF(b);
-	Py_XDECREF(c);
-	Py_XDECREF(temp);
 	if (b->ob_size > FIVEARY_CUTOFF) {
 		for (i = 0; i < 32; ++i)
 			Py_XDECREF(table[i]);
 	}
+	Py_DECREF(a);
+	Py_DECREF(b);
+	Py_XDECREF(c);
+	Py_XDECREF(temp);
 	return (PyObject *)z;
 }