New submission from paul:
# Program received signal SIGSEGV, Segmentation fault.
# 0x080f27b2 in PyObject_Hash (v=<unknown at remote 0x405720e4>) at
Objects/object.c:746
# 746 if (tp->tp_hash != NULL)
# (gdb) bt
# #0 0x080f27b2 in PyObject_Hash (v=<unknown at remote 0x405720e4>) at
Objects/object.c:746
# #1 0x080e1717 in PyDict_SetItem (op={}, key=<unknown at remote 0x405720e4>,
value=None) at Objects/dictobject.c:1201
# #2 0x0810e8a0 in _PyObject_GetState (obj=<Y at remote 0x405731bc>) at
Objects/typeobject.c:3657
# #3 0x081100e9 in reduce_2 (obj=<Y at remote 0x405731bc>) at
Objects/typeobject.c:3949
# #4 0x08110551 in _common_reduce (self=<Y at remote 0x405731bc>, proto=2) at
Objects/typeobject.c:4012
# #5 0x08110641 in object_reduce (self=<Y at remote 0x405731bc>, args=(2,)) at
Objects/typeobject.c:4032
#
# (gdb) frame 2
# #2 0x0810e8a0 in _PyObject_GetState (obj=<Y at remote 0x405731bc>) at
Objects/typeobject.c:3657
# 3657 int err = PyDict_SetItem(slots, name, value);
# (gdb) print *name
# $1 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325,
ob_type = 0xdbdbdbdb}
#
# "name" is freed inside __getattr__ and is later used by PyDict_SetItem.
----------
files: poc_getstate.py
messages: 242313
nosy: pkt
priority: normal
severity: normal
status: open
title: Use after free in PyObject_GetState
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file39248/poc_getstate.py
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue24097>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
