diff options
| author | Armin Rigo <arigo@tunes.org> | 2006-04-18 14:00:01 (GMT) |
|---|---|---|
| committer | Armin Rigo <arigo@tunes.org> | 2006-04-18 14:00:01 (GMT) |
| commit | 7e97ee6ac8ccfc5de437c51c677319a35700662a (patch) | |
| tree | c92ca9fa55578661def2cfd2f14a4558d2fb2fec | |
| parent | 15b1f146bc2d62ac1bfb8924cf799672ac3a61fe (diff) | |
| download | cpython-7e97ee6ac8ccfc5de437c51c677319a35700662a.zip cpython-7e97ee6ac8ccfc5de437c51c677319a35700662a.tar.gz cpython-7e97ee6ac8ccfc5de437c51c677319a35700662a.tar.bz2 | |
A dictresize() attack. If oldtable == mp->ma_smalltable then pure
Python code can mangle with mp->ma_smalltable while it is being walked
over.
| -rw-r--r-- | Lib/test/crashers/dictresize_attack.py | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/Lib/test/crashers/dictresize_attack.py b/Lib/test/crashers/dictresize_attack.py new file mode 100644 index 0000000..1895791 --- /dev/null +++ b/Lib/test/crashers/dictresize_attack.py @@ -0,0 +1,32 @@ +# http://www.python.org/sf/1456209 + +# A dictresize() attack. If oldtable == mp->ma_smalltable then pure +# Python code can mangle with mp->ma_smalltable while it is being walked +# over. + +class X(object): + + def __hash__(self): + return 5 + + def __eq__(self, other): + if resizing: + d.clear() + return False + + +d = {} + +resizing = False + +d[X()] = 1 +d[X()] = 2 +d[X()] = 3 +d[X()] = 4 +d[X()] = 5 + +# now trigger a resize +resizing = True +d[9] = 6 + +# ^^^ I get Segmentation fault or Illegal instruction here. |