Issue #16447: Merge fix from 3.3.

3 files changed, 21 insertions, 1 deletions

diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
index b5a10ed..3776389 100644
--- a/Lib/test/test_descr.py
+++ b/Lib/test/test_descr.py
@@ -3997,6 +3997,20 @@ order (MRO) for bases """
         C.__name__ = 'D.E'
         self.assertEqual((C.__module__, C.__name__), (mod, 'D.E'))
 
+    def test_evil_type_name(self):
+        # A badly placed Py_DECREF in type_set_name led to arbitrary code
+        # execution while the type structure was not in a sane state, and a
+        # possible segmentation fault as a result.  See bug #16447.
+        class Nasty(str):
+            def __del__(self):
+                C.__name__ = "other"
+
+        class C:
+            pass
+
+        C.__name__ = Nasty("abc")
+        C.__name__ = "normal"
+
     def test_subclass_right_op(self):
         # Testing correct dispatch of subclass overloading __r<op>__...
 
diff --git a/Misc/NEWS b/Misc/NEWS
index eeeb9cc..4f42ff5 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.4.0 Alpha 1?
 Core and Builtins
 -----------------
 
+- Issue #16447: Fixed potential segmentation fault when setting __name__ on a
+  class.
+
 - Issue #17669: Fix crash involving finalization of generators using yield from.
 
 - Issue #14439: Python now prints the traceback on runpy failure at startup.
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index 0c881b7..5093452 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -298,10 +298,13 @@ type_set_name(PyTypeObject *type, PyObject *value, void *context)
 
     Py_INCREF(value);
 
-    Py_DECREF(et->ht_name);
+    /* Wait until et is a sane state before Py_DECREF'ing the old et->ht_name
+       value.  (Bug #16447.)  */
+    tmp = et->ht_name;
     et->ht_name = value;
 
     type->tp_name = tp_name;
+    Py_DECREF(tmp);
 
     return 0;
 }