Skip to content

Commit

Permalink
bpo-29438: fixed use-after-free in key sharing dict (#17)
Browse files Browse the repository at this point in the history
  • Loading branch information
methane committed Feb 12, 2017
1 parent 2a35c93 commit 3a7f482
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
2 changes: 2 additions & 0 deletions Misc/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ What's New in Python 3.6.1 release candidate 1?
Core and Builtins
-----------------

- bpo-29438: Fixed use-after-free problem in key sharing dict.

- Issue #29319: Prevent RunMainFromImporter overwriting sys.path[0].

- Issue #29337: Fixed possible BytesWarning when compare the code objects.
Expand Down
10 changes: 7 additions & 3 deletions Objects/dictobject.c
Original file line number Diff line number Diff line change
Expand Up @@ -4376,15 +4376,19 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
}
if (value == NULL) {
res = PyDict_DelItem(dict, key);
if (cached != ((PyDictObject *)dict)->ma_keys) {
// Since key sharing dict doesn't allow deletion, PyDict_DelItem()
// always converts dict to combined form.
if ((cached = CACHED_KEYS(tp)) != NULL) {
CACHED_KEYS(tp) = NULL;
DK_DECREF(cached);
}
}
else {
int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
int was_shared = (cached == ((PyDictObject *)dict)->ma_keys);
res = PyDict_SetItem(dict, key, value);
if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
if (was_shared &&
(cached = CACHED_KEYS(tp)) != NULL &&
cached != ((PyDictObject *)dict)->ma_keys) {
/* PyDict_SetItem() may call dictresize and convert split table
* into combined table. In such case, convert it to split
* table again and update type's shared key only when this is
Expand Down

0 comments on commit 3a7f482

Please sign in to comment.