A dictresize() attack. If oldtable == mp->ma_smalltable then pure

Python code can mangle with mp->ma_smalltable while it is being walked over.
2006-04-18 14:00:01 +00:00 · 2006-04-18 14:00:01 +00:00 · 7e97ee6ac8
parent 15b1f146bc
commit 7e97ee6ac8
1 changed files with 32 additions and 0 deletions
--- a/Lib/test/crashers/dictresize_attack.py
+++ b/Lib/test/crashers/dictresize_attack.py
@ -0,0 +1,32 @@
+# http://www.python.org/sf/1456209
+
+# A dictresize() attack.  If oldtable == mp->ma_smalltable then pure
+# Python code can mangle with mp->ma_smalltable while it is being walked
+# over.
+
+class X(object):
+
+    def __hash__(self):
+        return 5
+
+    def __eq__(self, other):
+        if resizing:
+            d.clear()
+        return False
+
+
+d = {}
+
+resizing = False
+
+d[X()] = 1
+d[X()] = 2
+d[X()] = 3
+d[X()] = 4
+d[X()] = 5
+
+# now trigger a resize
+resizing = True
+d[9] = 6
+
+# ^^^ I get Segmentation fault or Illegal instruction here.