From 1f0e7c99331750d1683287218cbab99dc26b2b83 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Tue, 16 Aug 2016 23:35:35 -0700 Subject: [PATCH] rearrange methodcaller_new so that the main error case does not cause uninitialized memory usage (closes #27783) --- Misc/NEWS | 2 ++ Modules/operator.c | 15 +++++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 8c7acaf6482..a38d8beeb1d 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -29,6 +29,8 @@ Core and Builtins Library ------- +- Issue #27783: Fix possible usage of uninitialized memory in operator.methodcaller. + - Issue #27774: Fix possible Py_DECREF on unowned object in _sre. - Issue #27760: Fix possible integer overflow in binascii.b2a_qp. diff --git a/Modules/operator.c b/Modules/operator.c index 5156b6b32d5..d6443bf2b25 100644 --- a/Modules/operator.c +++ b/Modules/operator.c @@ -776,7 +776,7 @@ static PyObject * methodcaller_new(PyTypeObject *type, PyObject *args, PyObject *kwds) { methodcallerobject *mc; - PyObject *name, *newargs; + PyObject *name; if (PyTuple_GET_SIZE(args) < 1) { PyErr_SetString(PyExc_TypeError, "methodcaller needs at least " @@ -789,13 +789,6 @@ methodcaller_new(PyTypeObject *type, PyObject *args, PyObject *kwds) if (mc == NULL) return NULL; - newargs = PyTuple_GetSlice(args, 1, PyTuple_GET_SIZE(args)); - if (newargs == NULL) { - Py_DECREF(mc); - return NULL; - } - mc->args = newargs; - name = PyTuple_GET_ITEM(args, 0); Py_INCREF(name); mc->name = name; @@ -803,6 +796,12 @@ methodcaller_new(PyTypeObject *type, PyObject *args, PyObject *kwds) Py_XINCREF(kwds); mc->kwds = kwds; + mc->args = PyTuple_GetSlice(args, 1, PyTuple_GET_SIZE(args)); + if (mc->args == NULL) { + Py_DECREF(mc); + return NULL; + } + PyObject_GC_Track(mc); return (PyObject *)mc; }