Issue #24103: Fixed possible use after free in ElementTree.iterparse().

author: Serhiy Storchaka <storchaka@gmail.com> 2015-12-24 09:51:24 (GMT)
committer: Serhiy Storchaka <storchaka@gmail.com> 2015-12-24 09:51:24 (GMT)
commit: 20a003bea45a87e855826ddd0998d6ac389628d9 (patch)
tree: 9adf3e7b313d4b8f02ffa767845e55559ea46761
parent: 5951f2300f43d75d344d542e171daed47a0382a6 (diff)
download: cpython-20a003bea45a87e855826ddd0998d6ac389628d9.zip
cpython-20a003bea45a87e855826ddd0998d6ac389628d9.tar.gz
cpython-20a003bea45a87e855826ddd0998d6ac389628d9.tar.bz2
2 files changed, 9 insertions, 13 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index d8c4a9f..48f5ddf 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #24103: Fixed possible use after free in ElementTree.iterparse().
+
 - Issue #20954: _args_from_interpreter_flags used by multiprocessing and some
   tests no longer behaves incorrectly in the presence of the PYTHONHASHSEED
   environment variable.
diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
index 2647c7b..263d70a 100644
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -2751,8 +2751,7 @@ xmlparser_setevents(XMLParserObject* self, PyObject* args)
     target = (TreeBuilderObject*) self->target;
 
     Py_INCREF(events);
-    Py_XDECREF(target->events);
-    target->events = events;
+    Py_SETREF(target->events, events);
 
     /* clear out existing events */
     Py_CLEAR(target->start_event_obj);
@@ -2774,33 +2773,28 @@ xmlparser_setevents(XMLParserObject* self, PyObject* args)
         char* event;
         if (!PyString_Check(item))
             goto error;
+        Py_INCREF(item);
         event = PyString_AS_STRING(item);
         if (strcmp(event, "start") == 0) {
-            Py_INCREF(item);
-            target->start_event_obj = item;
+            Py_SETREF(target->start_event_obj, item);
         } else if (strcmp(event, "end") == 0) {
-            Py_INCREF(item);
-            Py_XDECREF(target->end_event_obj);
-            target->end_event_obj = item;
+            Py_SETREF(target->end_event_obj, item);
         } else if (strcmp(event, "start-ns") == 0) {
-            Py_INCREF(item);
-            Py_XDECREF(target->start_ns_event_obj);
-            target->start_ns_event_obj = item;
+            Py_SETREF(target->start_ns_event_obj, item);
             EXPAT(SetNamespaceDeclHandler)(
                 self->parser,
                 (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
                 (XML_EndNamespaceDeclHandler) expat_end_ns_handler
                 );
         } else if (strcmp(event, "end-ns") == 0) {
-            Py_INCREF(item);
-            Py_XDECREF(target->end_ns_event_obj);
-            target->end_ns_event_obj = item;
+            Py_SETREF(target->end_ns_event_obj, item);
             EXPAT(SetNamespaceDeclHandler)(
                 self->parser,
                 (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
                 (XML_EndNamespaceDeclHandler) expat_end_ns_handler
                 );
         } else {
+            Py_DECREF(item);
             PyErr_Format(
                 PyExc_ValueError,
                 "unknown event '%s'", event
author	Serhiy Storchaka <storchaka@gmail.com>	2015-12-24 09:51:24 (GMT)
committer	Serhiy Storchaka <storchaka@gmail.com>	2015-12-24 09:51:24 (GMT)
commit	20a003bea45a87e855826ddd0998d6ac389628d9 (patch)
tree	9adf3e7b313d4b8f02ffa767845e55559ea46761
parent	5951f2300f43d75d344d542e171daed47a0382a6 (diff)
download	cpython-20a003bea45a87e855826ddd0998d6ac389628d9.zip cpython-20a003bea45a87e855826ddd0998d6ac389628d9.tar.gz cpython-20a003bea45a87e855826ddd0998d6ac389628d9.tar.bz2