summaryrefslogtreecommitdiffstats
path: root/Objects/listobject.c
diff options
context:
space:
mode:
authorMichael W. Hudson <mwh@python.net>2003-12-04 11:25:46 (GMT)
committerMichael W. Hudson <mwh@python.net>2003-12-04 11:25:46 (GMT)
commit1df0f654e845ef7c1252db10b88066691807be5b (patch)
tree69261072cb9f43e20ab635b8193f88c01ddcc391 /Objects/listobject.c
parentc6c5ece7e2ece9ac5c4ba3b06a1d56b78cf74b27 (diff)
downloadcpython-1df0f654e845ef7c1252db10b88066691807be5b.zip
cpython-1df0f654e845ef7c1252db10b88066691807be5b.tar.gz
cpython-1df0f654e845ef7c1252db10b88066691807be5b.tar.bz2
Fixes and tests for various "holding pointers when arbitrary Python code
can run" bugs as discussed in [ 848856 ] couple of new list.sort bugs
Diffstat (limited to 'Objects/listobject.c')
-rw-r--r--Objects/listobject.c81
1 files changed, 46 insertions, 35 deletions
diff --git a/Objects/listobject.c b/Objects/listobject.c
index 95aa484..ce3ac6d 100644
--- a/Objects/listobject.c
+++ b/Objects/listobject.c
@@ -1848,7 +1848,7 @@ listsort(PyListObject *self, PyObject *args, PyObject *kwds)
PyObject *result = NULL; /* guilty until proved innocent */
int reverse = 0;
PyObject *keyfunc = NULL;
- int i, len = 0;
+ int i;
PyObject *key, *value, *kvpair;
static char *kwlist[] = {"cmp", "key", "reverse", 0};
@@ -1870,45 +1870,56 @@ listsort(PyListObject *self, PyObject *args, PyObject *kwds)
} else
Py_XINCREF(compare);
+ /* The list is temporarily made empty, so that mutations performed
+ * by comparison functions can't affect the slice of memory we're
+ * sorting (allowing mutations during sorting is a core-dump
+ * factory, since ob_item may change).
+ */
+ saved_ob_size = self->ob_size;
+ saved_ob_item = self->ob_item;
+ self->ob_size = 0;
+ self->ob_item = empty_ob_item = PyMem_NEW(PyObject *, 0);
+
if (keyfunc != NULL) {
- len = PyList_GET_SIZE(self);
- for (i=0 ; i < len ; i++) {
- value = PyList_GET_ITEM(self, i);
+ for (i=0 ; i < saved_ob_size ; i++) {
+ value = saved_ob_item[i];
key = PyObject_CallFunctionObjArgs(keyfunc, value,
NULL);
if (key == NULL) {
for (i=i-1 ; i>=0 ; i--) {
- kvpair = PyList_GET_ITEM(self, i);
+ kvpair = saved_ob_item[i];
value = sortwrapper_getvalue(kvpair);
- PyList_SET_ITEM(self, i, value);
+ saved_ob_item[i] = value;
Py_DECREF(kvpair);
}
+ if (self->ob_item != empty_ob_item
+ || self->ob_size) {
+ /* If the list changed *as well* we
+ have two errors. We let the first
+ one "win", but we shouldn't let
+ what's in the list currently
+ leak. */
+ (void)list_ass_slice(
+ self, 0, self->ob_size,
+ (PyObject *)NULL);
+ }
+
goto dsu_fail;
}
kvpair = build_sortwrapper(key, value);
if (kvpair == NULL)
goto dsu_fail;
- PyList_SET_ITEM(self, i, kvpair);
+ saved_ob_item[i] = kvpair;
}
}
/* Reverse sort stability achieved by initially reversing the list,
applying a stable forward sort, then reversing the final result. */
- if (reverse && self->ob_size > 1)
- reverse_slice(self->ob_item, self->ob_item + self->ob_size);
+ if (reverse && saved_ob_size > 1)
+ reverse_slice(saved_ob_item, saved_ob_item + saved_ob_size);
merge_init(&ms, compare);
- /* The list is temporarily made empty, so that mutations performed
- * by comparison functions can't affect the slice of memory we're
- * sorting (allowing mutations during sorting is a core-dump
- * factory, since ob_item may change).
- */
- saved_ob_size = self->ob_size;
- saved_ob_item = self->ob_item;
- self->ob_size = 0;
- self->ob_item = empty_ob_item = PyMem_NEW(PyObject *, 0);
-
nremaining = saved_ob_size;
if (nremaining < 2)
goto succeed;
@@ -1959,6 +1970,15 @@ listsort(PyListObject *self, PyObject *args, PyObject *kwds)
succeed:
result = Py_None;
fail:
+ if (keyfunc != NULL) {
+ for (i=0 ; i < saved_ob_size ; i++) {
+ kvpair = saved_ob_item[i];
+ value = sortwrapper_getvalue(kvpair);
+ saved_ob_item[i] = value;
+ Py_DECREF(kvpair);
+ }
+ }
+
if (self->ob_item != empty_ob_item || self->ob_size) {
/* The user mucked with the list during the sort. */
(void)list_ass_slice(self, 0, self->ob_size, (PyObject *)NULL);
@@ -1968,26 +1988,17 @@ fail:
result = NULL;
}
}
- if (self->ob_item == empty_ob_item)
- PyMem_FREE(empty_ob_item);
- self->ob_size = saved_ob_size;
- self->ob_item = saved_ob_item;
- merge_freemem(&ms);
- if (keyfunc != NULL) {
- len = PyList_GET_SIZE(self);
- for (i=0 ; i < len ; i++) {
- kvpair = PyList_GET_ITEM(self, i);
- value = sortwrapper_getvalue(kvpair);
- PyList_SET_ITEM(self, i, value);
- Py_DECREF(kvpair);
- }
- }
+ if (reverse && saved_ob_size > 1)
+ reverse_slice(saved_ob_item, saved_ob_item + saved_ob_size);
- if (reverse && self->ob_size > 1)
- reverse_slice(self->ob_item, self->ob_item + self->ob_size);
+ merge_freemem(&ms);
dsu_fail:
+ if (self->ob_item == empty_ob_item)
+ PyMem_FREE(empty_ob_item);
+ self->ob_size = saved_ob_size;
+ self->ob_item = saved_ob_item;
Py_XDECREF(compare);
Py_XINCREF(result);
return result;