Armin Rigo
249205d9d6
An example that shows that _PyInstance_Lookup() does not fulfill
...
its documented purpose.
2010-09-03 09:26:14 +00:00
Armin Rigo
ffd0dc1e8b
Sorry, sorry! Ignore my previous two commits. I mixed up the version
...
of python with which I tried running the crashers. They don't crash
the current HEAD.
2009-09-03 19:45:27 +00:00
Armin Rigo
f866fbb303
Does not terminate: consume all memory without responding to Ctrl-C.
...
I am not too sure why, but you can surely find out by gdb'ing a bit...
2009-09-03 19:42:03 +00:00
Armin Rigo
f416690490
Found the next crasher by thinking about this logic in PyPy.
2009-09-03 19:40:07 +00:00
Benjamin Peterson
83db7652ca
thanks to guido's bytecode verifier, this is fixed
2009-03-29 21:31:05 +00:00
Benjamin Peterson
d2c184605e
this has been fixed since 2.6 (I love removing these)
2009-03-29 21:22:35 +00:00
Armin Rigo
5561986da3
Ivan on IRC in #twisted reported this crasher.
2009-02-06 11:46:26 +00:00
Amaury Forgeot d'Arc
a40d573664
#3720 : Interpreter crashes when an evil iterator removes its own next function.
...
Now the slot is filled with a function that always raises.
Will not backport: extensions compiled with 2.6.x would not run on 2.6.0.
2009-01-12 23:36:55 +00:00
Armin Rigo
dcde494114
A collection of crashers, all variants of the idea
...
of issue #3720 .
2008-08-29 21:21:52 +00:00
Armin Rigo
ffae306784
Sounds obvious, but I didn't even realize that you can put non-string
...
keys in type dictionaries without using this locals() hack.
2008-06-12 09:50:58 +00:00
Armin Rigo
5364e2e46f
A new crasher.
2008-04-25 09:35:18 +00:00
Guido van Rossum
37edeab778
Fix test67.py from issue #1303614 .
2008-01-24 17:58:05 +00:00
Guido van Rossum
1d9a9eaa89
Fix two crashers.
2008-01-23 20:19:01 +00:00
Guido van Rossum
bf4c7c8c0d
This got fixed for classic classes in r60057,
...
and backported to 2.5.2 in 60056.
2008-01-18 23:05:40 +00:00
Georg Brandl
fa6179701c
Remove duplicate crasher.
2007-10-21 10:01:56 +00:00
Armin Rigo
1486182451
Add a crasher for the long-standing issue with closing a file
...
while another thread uses it.
2007-10-21 09:14:15 +00:00
Brett Cannon
1e534b5425
Fix a crasher where Python code managed to infinitely recurse in C code without
...
ever going back out to Python code in PyObject_Call(). Required introducing a
static RuntimeError instance so that normalizing an exception there is no
reliance on a recursive call that would put the exception system over the
recursion check itself.
2007-09-07 04:18:30 +00:00
Armin Rigo
337841dac7
PyDict_GetItem() returns a borrowed reference.
...
This attack is against ceval.c:IMPORT_NAME, which calls an
object (__builtin__.__import__) without holding a reference to it.
2007-09-06 09:30:38 +00:00
Armin Rigo
362bb51503
PyDict_GetItem() returns a borrowed reference.
...
There are probably a number of places that are open to attacks
such as the following one, in bltinmodule.c:min_max().
2007-09-05 07:51:21 +00:00
Georg Brandl
bf138333ce
Add a crasher for the thread-unsafety of file objects.
2007-08-28 18:54:44 +00:00
Armin Rigo
9790a27065
Fix for #1303614 and #1174712 :
...
- __dict__ descriptor abuse for subclasses of built-in types
- subclassing from both ModuleType and another built-in types
Thanks zseil for the patch.
2007-05-02 19:23:31 +00:00
Armin Rigo
adf172339c
Modify the segfaulting example to show why r53997 is not a solution to
...
it.
2007-02-28 09:25:29 +00:00
Jeremy Hylton
fa955697fa
Add checking for a number of metaclass error conditions.
...
We add some new rules that are required for preserving internal
invariants of types.
1. If type (or a subclass of type) appears in bases, it must appear
before any non-type bases. If a non-type base (like a regular
new-style class) occurred first, it could trick type into
allocating the new class an __dict__ which must be impossible.
2. There are several checks that are made of bases when creating a
type. Those checks are now repeated when assigning to __bases__.
We also add the restriction that assignment to __bases__ may not
change the metaclass of the type.
Add new tests for these cases and for a few other oddball errors that
were no previously tested. Remove a crasher test that was fixed.
Also some internal refactoring: Extract the code to find the most
derived metaclass of a type and its bases. It is now needed in two
places. Rewrite the TypeError checks in test_descr to use doctest.
The tests now clearly show what exception they expect to see.
2007-02-27 18:29:45 +00:00
Brett Cannon
f5bee30e30
Fix crasher for when an object's __del__ creates a new weakref to itself.
...
Patch only fixes new-style classes; classic classes still buggy.
Closes bug #1377858 . Already backported.
2007-01-23 23:21:22 +00:00
Armin Rigo
c839c2f226
Another crasher.
2006-09-25 15:16:26 +00:00
Neal Norwitz
361b46be24
Add a "crasher" taken from the sgml bug report referenced in the comment
2006-09-11 04:32:57 +00:00
Armin Rigo
cd73a78b68
The regular expression engine in '_sre' can segfault when interpreting
...
bogus bytecode. It is unclear whether this is a real bug or a "won't
fix" case like bogus_code_obj.py.
2006-08-25 12:44:28 +00:00
Armin Rigo
b62efad943
Document the crashers that will not go away soon as "won't fix",
...
and explain why.
2006-07-25 18:38:39 +00:00
Armin Rigo
5a9a2a3fe1
Added another crasher, which hit me today (I was not intentionally
...
writing such code, of course, but it took some gdb time to figure out
what my bug was).
2006-07-25 18:11:07 +00:00
Armin Rigo
4df7c0a55b
Document why is and is not a good way to fix the gc_inspection crasher.
2006-07-25 18:09:57 +00:00
Armin Rigo
5953baca0a
A couple of examples about how to attack the fact that _PyType_Lookup()
...
returns a borrowed ref. Many of the calls are open to attack.
2006-07-06 07:58:18 +00:00
Fred Drake
6ffe499397
SF bug #1296433 (Expat bug #1515266 ): Unchecked calls to character data
...
handler would cause a segfault. This merges in Expat's lib/xmlparse.c
revisions 1.154 and 1.155, which fix this and a closely related problem
(the later does not affect Python).
Moved the crasher test to the tests for xml.parsers.expat.
2006-07-01 16:28:20 +00:00
Armin Rigo
d77ef8fa51
A couple of crashers of the "won't fix" kind.
2006-06-28 10:49:51 +00:00
Brett Cannon
ea3912b0da
If a classic class defined a __coerce__() method that just returned its two
...
arguments in reverse, the interpreter would infinitely recourse trying to get a
coercion that worked. So put in a recursion check after a coercion is made and
the next call to attempt to use the coerced values.
Fixes bug #992017 and closes crashers/coerce.py .
2006-06-13 21:46:41 +00:00
Brett Cannon
22565aac3b
An object with __call__ as an attribute, when called, will have that attribute checked for __call__ itself, and will continue to look until it finds an object without the attribute. This can lead to an infinite recursion.
...
Closes bug #532646 , again. Will be backported.
2006-06-09 22:31:23 +00:00
Armin Rigo
35f6d36951
[ 1497053 ] Let dicts propagate the exceptions in user __eq__().
...
[ 1456209 ] dictresize() vulnerability ( <- backport candidate ).
2006-06-01 13:19:12 +00:00
Armin Rigo
7e97ee6ac8
A dictresize() attack. If oldtable == mp->ma_smalltable then pure
...
Python code can mangle with mp->ma_smalltable while it is being walked
over.
2006-04-18 14:00:01 +00:00
Michael W. Hudson
15b1f146bc
add a very old crasher from the 2.1 -> 2.2 round of dictionary fixes.
2006-04-18 13:52:32 +00:00
Neal Norwitz
38a76a1017
Copy note from leakers README here too. We want to keep all test cases.
2006-04-14 06:35:46 +00:00
Tim Peters
1a57296450
Set svn:eol-style to native.
2006-03-01 06:19:04 +00:00
Armin Rigo
b4b5a7601b
collected my segfaulting Python examples from the SF trackers
...
(is the purpose of the crashers directory to scare people? :-)
2006-01-14 10:58:30 +00:00
Tim Peters
a28ad77844
Whitespace normalization.
2006-01-13 03:05:25 +00:00
Neal Norwitz
ae1df41127
add another crash reported by Thomas Wouters
2006-01-11 07:21:19 +00:00
Neal Norwitz
8cc4ef561c
As I threatened on python-dev, add a directory which contains all known
...
bugs which cause the interpreter to crash. I'm sure we can find a few
more. Many missing bugs deal with variations on unchecked infinite recursion
(like coerce.py).
2006-01-10 07:49:41 +00:00