Bugs item #1517663, was opened at 2006-07-05 13:33 Message generated for change (Settings changed) made by collinwinter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1517663&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Python Interpreter Core Group: Python 2.5 Status: Open Resolution: None >Priority: 7 Submitted By: Collin Winter (collinwinter) Assigned to: Nobody/Anonymous (nobody) Summary: Interpreter crash: filter() + gc.get_referrers() Initial Comment: Similar to the bug in tuple() shown in the current (r47245) version of Lib/test/crashers/gc_inspection.py, filter() can be exploited in similar ways. Rather than the tricky generator used to exploit tuple(), the attached test case uses a subclass of tuple with a malicious __getitem__ method. The pattern being exploited is the same, however: a built-in function pre-allocates a tuple, then fills it using calls to user-defined code. gc_inspection.py.diff also expands the infrastructure in gc_inspection.py, allowing multiple test functions to run that could crash the interpreter. The second patch, fix_filter_crash.patch, is against Python/bltinmodule.c and adds _PyObject_GC_TRACK/UNTRACK macros around the call to the type's sq_item slot in filtertuple(). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1517663&group_id=5470 _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
