summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorINADA Naoki <methane@users.noreply.github.com>2017-02-12 04:51:30 (GMT)
committerGitHub <noreply@github.com>2017-02-12 04:51:30 (GMT)
commit2294f3aee14a6074b17c67ef936c607430bb3c7a (patch)
tree3519ef6fe1a64699303a0e93a1aee67c565bb476
parente7ffb99f842ebff97cffa0fc90b18be4e5abecf2 (diff)
downloadcpython-2294f3aee14a6074b17c67ef936c607430bb3c7a.zip
cpython-2294f3aee14a6074b17c67ef936c607430bb3c7a.tar.gz
cpython-2294f3aee14a6074b17c67ef936c607430bb3c7a.tar.bz2
bpo-29438: fixed use-after-free in key sharing dict (#17)
-rw-r--r--Misc/NEWS2
-rw-r--r--Objects/dictobject.c10
2 files changed, 9 insertions, 3 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 48d786d..eb870b7 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 3.7.0 alpha 1?
Core and Builtins
-----------------
+- bpo-29438: Fixed use-after-free problem in key sharing dict.
+
- Issue #29319: Prevent RunMainFromImporter overwriting sys.path[0].
- Issue #29337: Fixed possible BytesWarning when compare the code objects.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c
index 43584b7..5fe5272 100644
--- a/Objects/dictobject.c
+++ b/Objects/dictobject.c
@@ -4352,15 +4352,19 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
}
if (value == NULL) {
res = PyDict_DelItem(dict, key);
- if (cached != ((PyDictObject *)dict)->ma_keys) {
+ // Since key sharing dict doesn't allow deletion, PyDict_DelItem()
+ // always converts dict to combined form.
+ if ((cached = CACHED_KEYS(tp)) != NULL) {
CACHED_KEYS(tp) = NULL;
DK_DECREF(cached);
}
}
else {
- int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
+ int was_shared = (cached == ((PyDictObject *)dict)->ma_keys);
res = PyDict_SetItem(dict, key, value);
- if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
+ if (was_shared &&
+ (cached = CACHED_KEYS(tp)) != NULL &&
+ cached != ((PyDictObject *)dict)->ma_keys) {
/* PyDict_SetItem() may call dictresize and convert split table
* into combined table. In such case, convert it to split
* table again and update type's shared key only when this is