[issue4877] xml.parsers.expat ParseFile() causes segmentation fault when passed a closed file object

Wed, 07 Jan 2009 21:01:25 -0800 

New submission from Steve Howard <d...@gostevehoward.com>:

In Python 2.5.4 built from unmodified source:

show...@showardlt:~/src/Python-2.5.4$ ./python
Python 2.5.4 (r254:67916, Jan  7 2009, 20:28:41) 
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xml.parsers import expat
>>> f=open('/tmp/foo')
>>> p=expat.ParserCreate()
>>> f.close()
>>> p.ParseFile(f)
Segmentation fault

The error is in the control flow in xmlparse_ParseFile()
(Modules/pyexpat.c:1000).  When passed a real file object that's been
closed, PyFile_Check() returns true, but then PyFile_AsFile() returns 0
(since f_fp on the file object is set to zero when the file is closed).
 So the local 'fp' is set to 0, and 'readmethod' is left as NULL.  The
conditional at 1033 then fails, and the call to readinst() at 1041
passes readmethod=NULL, leading eventually to a segfault in
PyObject_Call at Objects/abstract.c:1860.

I think it's present in 2.6 as well, but I'm not sure.  It seems to have
been fixed by chance in 3.0 because Guido removed the first branch in
xmlparse_ParseFile altogether in an unrelated change a while ago.

The attached patch simply checks for fp == 0 and raises an exception.  I
don't know if it's the proper solution but you get the idea.

Built with the attached patch:

show...@showardlt:~/src/Python-2.5.4$ ./python
Python 2.5.4 (r254:67916, Jan  7 2009, 20:28:41) 
[GCC 4.2.4 (Ubuntu 4.2.4-1ubuntu3)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from xml.parsers import expat
>>> f=open('/tmp/foo')
>>> p=expat.ParserCreate()
>>> f.close()   
>>> p.ParseFile(f)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: attempting to parse closed file

----------
components: XML
files: pyexpat_segfault_on_closed_file.patch
keywords: patch
messages: 79398
nosy: showard
severity: normal
status: open
title: xml.parsers.expat ParseFile() causes segmentation fault when passed a 
closed file object
type: crash
versions: Python 2.5
Added file: 
http://bugs.python.org/file12646/pyexpat_segfault_on_closed_file.patch

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue4877>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to