diff options
| author | Gregory P. Smith <greg@mad-scientist.com> | 2007-10-09 06:50:43 (GMT) |
|---|---|---|
| committer | Gregory P. Smith <greg@mad-scientist.com> | 2007-10-09 06:50:43 (GMT) |
| commit | 10bed54ae2cc7751ba944bc8a99b9ca0a690c06a (patch) | |
| tree | 2e30614b07caccae82cc24ed359ce97620b29117 | |
| parent | 392505391e1703fe0df4da8e077793f7e71b1075 (diff) | |
| download | cpython-10bed54ae2cc7751ba944bc8a99b9ca0a690c06a.zip cpython-10bed54ae2cc7751ba944bc8a99b9ca0a690c06a.tar.gz cpython-10bed54ae2cc7751ba944bc8a99b9ca0a690c06a.tar.bz2 | |
Fix a double free when positioning a database cursor to a non-existant
string key (and probably a few other situations with string keys).
This was reported with a patch as pybsddb sourceforge bug 1708868 by
jjjhhhlll at gmail.
| -rw-r--r-- | Lib/bsddb/test/test_misc.py | 20 | ||||
| -rw-r--r-- | Modules/_bsddb.c | 14 |
2 files changed, 33 insertions, 1 deletions
diff --git a/Lib/bsddb/test/test_misc.py b/Lib/bsddb/test/test_misc.py index 6b2df07..3e63354 100644 --- a/Lib/bsddb/test/test_misc.py +++ b/Lib/bsddb/test/test_misc.py @@ -53,6 +53,26 @@ class MiscTestCase(unittest.TestCase): rp = repr(db) self.assertEquals(rp, "{}") + # http://sourceforge.net/tracker/index.php?func=detail&aid=1708868&group_id=13900&atid=313900 + # + # See the bug report for details. + # + # The problem was that make_key_dbt() was not allocating a copy of + # string keys but FREE_DBT() was always being told to free it when the + # database was opened with DB_THREAD. + def test04_double_free_make_key_dbt(self): + try: + db1 = db.DB() + db1.open(self.filename, None, db.DB_BTREE, + db.DB_CREATE | db.DB_THREAD) + + curs = db1.cursor() + t = curs.get("/foo", db.DB_SET) + # double free happened during exit from DBC_get + finally: + db1.close() + os.unlink(self.filename) + #---------------------------------------------------------------------- diff --git a/Modules/_bsddb.c b/Modules/_bsddb.c index c840eaf..bc70cc3 100644 --- a/Modules/_bsddb.c +++ b/Modules/_bsddb.c @@ -328,7 +328,19 @@ make_key_dbt(DBObject* self, PyObject* keyobj, DBT* key, int* pflags) return 0; } - key->data = PyString_AS_STRING(keyobj); + /* + * NOTE(gps): I don't like doing a data copy here, it seems + * wasteful. But without a clean way to tell FREE_DBT if it + * should free key->data or not we have to. Other places in + * the code check for DB_THREAD and forceably set DBT_MALLOC + * when we otherwise would leave flags 0 to indicate that. + */ + key->data = strdup(PyString_AS_STRING(keyobj)); + if (key->data == NULL) { + PyErr_SetString(PyExc_MemoryError, "Key memory allocation failed"); + return 0; + } + key->flags = DB_DBT_REALLOC; key->size = PyString_GET_SIZE(keyobj); } |