diff options
-rw-r--r-- | Misc/NEWS | 2 | ||||
-rw-r--r-- | Modules/_elementtree.c | 32 |
2 files changed, 15 insertions, 19 deletions
@@ -118,6 +118,8 @@ Core and Builtins Library ------- +- Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser. + - Issue #25860: os.fwalk() no longer skips remaining directories when error occurs. Original patch by Samson Lee. diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c index 5908c72..f69ce29 100644 --- a/Modules/_elementtree.c +++ b/Modules/_elementtree.c @@ -3581,7 +3581,7 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self, /*[clinic end generated code: output=1440092922b13ed1 input=abf90830a1c3b0fc]*/ { /* activate element event reporting */ - Py_ssize_t i, seqlen; + Py_ssize_t i; TreeBuilderObject *target; PyObject *events_append, *events_seq; @@ -3599,8 +3599,7 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self, events_append = PyObject_GetAttrString(events_queue, "append"); if (events_append == NULL) return NULL; - Py_XDECREF(target->events_append); - target->events_append = events_append; + Py_SETREF(target->events_append, events_append); /* clear out existing events */ Py_CLEAR(target->start_event_obj); @@ -3619,46 +3618,41 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self, return NULL; } - seqlen = PySequence_Size(events_seq); - for (i = 0; i < seqlen; ++i) { + for (i = 0; i < PySequence_Size(events_seq); ++i) { PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i); char *event_name = NULL; if (PyUnicode_Check(event_name_obj)) { - event_name = _PyUnicode_AsString(event_name_obj); + event_name = PyUnicode_AsUTF8(event_name_obj); } else if (PyBytes_Check(event_name_obj)) { event_name = PyBytes_AS_STRING(event_name_obj); } - if (event_name == NULL) { Py_DECREF(events_seq); PyErr_Format(PyExc_ValueError, "invalid events sequence"); return NULL; - } else if (strcmp(event_name, "start") == 0) { - Py_INCREF(event_name_obj); - target->start_event_obj = event_name_obj; + } + + Py_INCREF(event_name_obj); + if (strcmp(event_name, "start") == 0) { + Py_SETREF(target->start_event_obj, event_name_obj); } else if (strcmp(event_name, "end") == 0) { - Py_INCREF(event_name_obj); - Py_XDECREF(target->end_event_obj); - target->end_event_obj = event_name_obj; + Py_SETREF(target->end_event_obj, event_name_obj); } else if (strcmp(event_name, "start-ns") == 0) { - Py_INCREF(event_name_obj); - Py_XDECREF(target->start_ns_event_obj); - target->start_ns_event_obj = event_name_obj; + Py_SETREF(target->start_ns_event_obj, event_name_obj); EXPAT(SetNamespaceDeclHandler)( self->parser, (XML_StartNamespaceDeclHandler) expat_start_ns_handler, (XML_EndNamespaceDeclHandler) expat_end_ns_handler ); } else if (strcmp(event_name, "end-ns") == 0) { - Py_INCREF(event_name_obj); - Py_XDECREF(target->end_ns_event_obj); - target->end_ns_event_obj = event_name_obj; + Py_SETREF(target->end_ns_event_obj, event_name_obj); EXPAT(SetNamespaceDeclHandler)( self->parser, (XML_StartNamespaceDeclHandler) expat_start_ns_handler, (XML_EndNamespaceDeclHandler) expat_end_ns_handler ); } else { + Py_DECREF(event_name_obj); Py_DECREF(events_seq); PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name); return NULL; |