bpo-38610: Fix possible crashes in several list methods (GH-17022)

Hold strong references to list elements while calling PyObject_RichCompareBool().
2019-12-30 12:32:58 -07:00 · 2019-12-30 12:32:58 -07:00 · d9e561d23d
parent 09c482fad1
commit d9e561d23d
3 changed files with 40 additions and 3 deletions
--- a/Lib/test/test_list.py
+++ b/Lib/test/test_list.py
@ -171,5 +171,31 @@ class ListTest(list_tests.CommonTest):
        self.assertEqual(iter_size, sys.getsizeof(list([0] * 10)))
        self.assertEqual(iter_size, sys.getsizeof(list(range(10))))

+    def test_count_index_remove_crashes(self):
+        # bpo-38610: The count(), index(), and remove() methods were not
+        # holding strong references to list elements while calling
+        # PyObject_RichCompareBool().
+        class X:
+            def __eq__(self, other):
+                lst.clear()
+                return NotImplemented
+
+        lst = [X()]
+        with self.assertRaises(ValueError):
+            lst.index(lst)
+
+        class L(list):
+            def __eq__(self, other):
+                str(other)
+                return NotImplemented
+
+        lst = L([X()])
+        lst.count(lst)
+
+        lst = L([X()])
+        with self.assertRaises(ValueError):
+            lst.remove(lst)
+
+
 if __name__ == "__main__":
    unittest.main()
--- a/Builtins/2019-10-31-14-30-39.bpo-38610.fHdVMS.rst
+++ b/Builtins/2019-10-31-14-30-39.bpo-38610.fHdVMS.rst
@ -0,0 +1,2 @@
+Fix possible crashes in several list methods by holding strong references to
+list elements when calling :c:func:`PyObject_RichCompareBool`.
--- a/Objects/listobject.c
+++ b/Objects/listobject.c
@ -2553,7 +2553,10 @@ list_index_impl(PyListObject *self, PyObject *value, Py_ssize_t start,
            stop = 0;
    }
    for (i = start; i < stop && i < Py_SIZE(self); i++) {
-        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);
+        PyObject *obj = self->ob_item[i];
+        Py_INCREF(obj);
+        int cmp = PyObject_RichCompareBool(obj, value, Py_EQ);
+        Py_DECREF(obj);
        if (cmp > 0)
            return PyLong_FromSsize_t(i);
        else if (cmp < 0)
@ -2580,7 +2583,10 @@ list_count(PyListObject *self, PyObject *value)
    Py_ssize_t i;

    for (i = 0; i < Py_SIZE(self); i++) {
-        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);
+        PyObject *obj = self->ob_item[i];
+        Py_INCREF(obj);
+        int cmp = PyObject_RichCompareBool(obj, value, Py_EQ);
+        Py_DECREF(obj);
        if (cmp > 0)
            count++;
        else if (cmp < 0)
@ -2607,7 +2613,10 @@ list_remove(PyListObject *self, PyObject *value)
    Py_ssize_t i;

    for (i = 0; i < Py_SIZE(self); i++) {
-        int cmp = PyObject_RichCompareBool(self->ob_item[i], value, Py_EQ);
+        PyObject *obj = self->ob_item[i];
+        Py_INCREF(obj);
+        int cmp = PyObject_RichCompareBool(obj, value, Py_EQ);
+        Py_DECREF(obj);
        if (cmp > 0) {
            if (list_ass_slice(self, i, i+1,
                               (PyObject *)NULL) == 0)