Commit Graph

28 Commits

Author SHA1 Message Date
Brett Cannon 1e534b5425 Fix a crasher where Python code managed to infinitely recurse in C code without
ever going back out to Python code in PyObject_Call().  Required introducing a
static RuntimeError instance so that normalizing an exception there is no
reliance on a recursive call that would put the exception system over the
recursion check itself.
2007-09-07 04:18:30 +00:00
Armin Rigo 337841dac7 PyDict_GetItem() returns a borrowed reference.
This attack is against ceval.c:IMPORT_NAME, which calls an
object (__builtin__.__import__) without holding a reference to it.
2007-09-06 09:30:38 +00:00
Armin Rigo 362bb51503 PyDict_GetItem() returns a borrowed reference.
There are probably a number of places that are open to attacks
such as the following one, in bltinmodule.c:min_max().
2007-09-05 07:51:21 +00:00
Georg Brandl bf138333ce Add a crasher for the thread-unsafety of file objects. 2007-08-28 18:54:44 +00:00
Armin Rigo 9790a27065 Fix for #1303614 and #1174712:
- __dict__ descriptor abuse for subclasses of built-in types
- subclassing from both ModuleType and another built-in types

Thanks zseil for the patch.
2007-05-02 19:23:31 +00:00
Armin Rigo adf172339c Modify the segfaulting example to show why r53997 is not a solution to
it.
2007-02-28 09:25:29 +00:00
Jeremy Hylton fa955697fa Add checking for a number of metaclass error conditions.
We add some new rules that are required for preserving internal
invariants of types.

1.  If type (or a subclass of type) appears in bases, it must appear
    before any non-type bases.  If a non-type base (like a regular
    new-style class) occurred first, it could trick type into
    allocating the new class an __dict__ which must be impossible.

2. There are several checks that are made of bases when creating a
   type.  Those checks are now repeated when assigning to __bases__.
   We also add the restriction that assignment to __bases__ may not
   change the metaclass of the type.

Add new tests for these cases and for a few other oddball errors that
were no previously tested.  Remove a crasher test that was fixed.

Also some internal refactoring:  Extract the code to find the most
derived metaclass of a type and its bases.  It is now needed in two
places.  Rewrite the TypeError checks in test_descr to use doctest.
The tests now clearly show what exception they expect to see.
2007-02-27 18:29:45 +00:00
Brett Cannon f5bee30e30 Fix crasher for when an object's __del__ creates a new weakref to itself.
Patch only fixes new-style classes; classic classes still buggy.

Closes bug #1377858.  Already backported.
2007-01-23 23:21:22 +00:00
Armin Rigo c839c2f226 Another crasher. 2006-09-25 15:16:26 +00:00
Neal Norwitz 361b46be24 Add a "crasher" taken from the sgml bug report referenced in the comment 2006-09-11 04:32:57 +00:00
Armin Rigo cd73a78b68 The regular expression engine in '_sre' can segfault when interpreting
bogus bytecode.  It is unclear whether this is a real bug or a "won't
fix" case like bogus_code_obj.py.
2006-08-25 12:44:28 +00:00
Armin Rigo b62efad943 Document the crashers that will not go away soon as "won't fix",
and explain why.
2006-07-25 18:38:39 +00:00
Armin Rigo 5a9a2a3fe1 Added another crasher, which hit me today (I was not intentionally
writing such code, of course, but it took some gdb time to figure out
what my bug was).
2006-07-25 18:11:07 +00:00
Armin Rigo 4df7c0a55b Document why is and is not a good way to fix the gc_inspection crasher. 2006-07-25 18:09:57 +00:00
Armin Rigo 5953baca0a A couple of examples about how to attack the fact that _PyType_Lookup()
returns a borrowed ref.  Many of the calls are open to attack.
2006-07-06 07:58:18 +00:00
Fred Drake 6ffe499397 SF bug #1296433 (Expat bug #1515266): Unchecked calls to character data
handler would cause a segfault.  This merges in Expat's lib/xmlparse.c
revisions 1.154 and 1.155, which fix this and a closely related problem
(the later does not affect Python).

Moved the crasher test to the tests for xml.parsers.expat.
2006-07-01 16:28:20 +00:00
Armin Rigo d77ef8fa51 A couple of crashers of the "won't fix" kind. 2006-06-28 10:49:51 +00:00
Brett Cannon ea3912b0da If a classic class defined a __coerce__() method that just returned its two
arguments in reverse, the interpreter would infinitely recourse trying to get a
coercion that worked.  So put in a recursion check after a coercion is made and
the next call to attempt to use the coerced values.

Fixes bug #992017 and closes crashers/coerce.py .
2006-06-13 21:46:41 +00:00
Brett Cannon 22565aac3b An object with __call__ as an attribute, when called, will have that attribute checked for __call__ itself, and will continue to look until it finds an object without the attribute. This can lead to an infinite recursion.
Closes bug #532646, again.  Will be backported.
2006-06-09 22:31:23 +00:00
Armin Rigo 35f6d36951 [ 1497053 ] Let dicts propagate the exceptions in user __eq__().
[ 1456209 ] dictresize() vulnerability ( <- backport candidate ).
2006-06-01 13:19:12 +00:00
Armin Rigo 7e97ee6ac8 A dictresize() attack. If oldtable == mp->ma_smalltable then pure
Python code can mangle with mp->ma_smalltable while it is being walked
over.
2006-04-18 14:00:01 +00:00
Michael W. Hudson 15b1f146bc add a very old crasher from the 2.1 -> 2.2 round of dictionary fixes. 2006-04-18 13:52:32 +00:00
Neal Norwitz 38a76a1017 Copy note from leakers README here too. We want to keep all test cases. 2006-04-14 06:35:46 +00:00
Tim Peters 1a57296450 Set svn:eol-style to native. 2006-03-01 06:19:04 +00:00
Armin Rigo b4b5a7601b collected my segfaulting Python examples from the SF trackers
(is the purpose of the crashers directory to scare people? :-)
2006-01-14 10:58:30 +00:00
Tim Peters a28ad77844 Whitespace normalization. 2006-01-13 03:05:25 +00:00
Neal Norwitz ae1df41127 add another crash reported by Thomas Wouters 2006-01-11 07:21:19 +00:00
Neal Norwitz 8cc4ef561c As I threatened on python-dev, add a directory which contains all known
bugs which cause the interpreter to crash.  I'm sure we can find a few
more.  Many missing bugs deal with variations on unchecked infinite recursion
(like coerce.py).
2006-01-10 07:49:41 +00:00