New submission from Daniel Stutzbach <dan...@stutzbachenterprises.com>:
I noticed that file_close() calls close_the_file(), then frees the
buffer for the file object. However, close_the_file() may fail and
return NULL if the file object is currently in use by another thread, in
which case freeing the buffer from underneath the C stdio library may
cause a crash.
Here's the relevant bit of code from fileobject.c:
static PyObject *
file_close(PyFileObject *f)
{
PyObject *sts = close_the_file(f);
PyMem_Free(f->f_setbuf);
f->f_setbuf = NULL;
return sts;
}
I think the two middle lines of the function should be wrapped in an "if
(sts)" block.
Attached is a short program that causes python to crash on two of my
systems (Windows XP running Python 2.6.3 and Debian running Python 2.5)
and a patch with my proposed fix.
I think Python 3 is immune because the I/O code has been completely
rewritten. I have not checked the Python 3 code to see if there are any
analogous problems in the new code, however.
----------
components: IO, Interpreter Core
files: fileobject.diff
keywords: patch
messages: 93723
nosy: stutzbach
severity: normal
status: open
title: file_close() ignores return value of close_the_file
type: crash
versions: Python 2.5, Python 2.6, Python 2.7
Added file: http://bugs.python.org/file15076/fileobject.diff
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue7079>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
