diff options
| author | Yury Selivanov <yury@magic.io> | 2017-07-05 17:32:03 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-07-05 17:32:03 (GMT) |
| commit | 833a3b0d3707200daeaccdd218e8f18a190284aa (patch) | |
| tree | 88cc8ea50a8f2709b437b7308015ba2a48538788 | |
| parent | 8207c17486baece8ed0ac42d9f8d69ecec4ba7e4 (diff) | |
| download | cpython-833a3b0d3707200daeaccdd218e8f18a190284aa.zip cpython-833a3b0d3707200daeaccdd218e8f18a190284aa.tar.gz cpython-833a3b0d3707200daeaccdd218e8f18a190284aa.tar.bz2 | |
bpo-30828: Fix out of bounds write in `asyncio.CFuture.remove_done_callback() (#2569)
| -rw-r--r-- | Lib/test/test_asyncio/test_futures.py | 24 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst | 1 | ||||
| -rw-r--r-- | Modules/_asynciomodule.c | 13 |
3 files changed, 34 insertions, 4 deletions
diff --git a/Lib/test/test_asyncio/test_futures.py b/Lib/test/test_asyncio/test_futures.py index 5d4b2d2..ce657fc 100644 --- a/Lib/test/test_asyncio/test_futures.py +++ b/Lib/test/test_asyncio/test_futures.py @@ -593,7 +593,7 @@ class BaseFutureDoneCallbackTests(): fut.remove_done_callback(evil()) - def test_schedule_callbacks_list_mutation(self): + def test_schedule_callbacks_list_mutation_1(self): # see http://bugs.python.org/issue28963 for details def mut(f): @@ -606,6 +606,28 @@ class BaseFutureDoneCallbackTests(): fut.set_result(1) test_utils.run_briefly(self.loop) + def test_schedule_callbacks_list_mutation_2(self): + # see http://bugs.python.org/issue30828 for details + + fut = self._new_future() + fut.add_done_callback(str) + + for _ in range(63): + fut.add_done_callback(id) + + max_extra_cbs = 100 + extra_cbs = 0 + + class evil: + def __eq__(self, other): + nonlocal extra_cbs + extra_cbs += 1 + if extra_cbs < max_extra_cbs: + fut.add_done_callback(id) + return False + + fut.remove_done_callback(evil()) + @unittest.skipUnless(hasattr(futures, '_CFuture'), 'requires the C _asyncio module') diff --git a/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst b/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst new file mode 100644 index 0000000..8924962 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst @@ -0,0 +1 @@ +Fix out of bounds write in `asyncio.CFuture.remove_done_callback()`. diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c index b8a88e6..b998a04 100644 --- a/Modules/_asynciomodule.c +++ b/Modules/_asynciomodule.c @@ -532,9 +532,16 @@ _asyncio_Future_remove_done_callback(FutureObj *self, PyObject *fn) goto fail; } if (ret == 0) { - Py_INCREF(item); - PyList_SET_ITEM(newlist, j, item); - j++; + if (j < len) { + Py_INCREF(item); + PyList_SET_ITEM(newlist, j, item); + j++; + } + else { + if (PyList_Append(newlist, item)) { + goto fail; + } + } } } |