PyDict_GetItem() returns a borrowed reference.

This attack is against ceval.c:IMPORT_NAME, which calls an object (__builtin__.__import__) without holding a reference to it.
author: Armin Rigo <arigo@tunes.org> 2007-09-06 09:30:38 +0000
committer: Armin Rigo <arigo@tunes.org> 2007-09-06 09:30:38 +0000
commit: 337841dac7f1936c78bacf60c88e085e7ca6231d (patch)
tree: f7ece2f347d2d14316f47b7deb335ae184395ace
parent: bddc3416f8ff0b1436e219aa8281ccad845d81f6 (diff)
download: cpython-git-337841dac7f1936c78bacf60c88e085e7ca6231d.tar.gz
1 files changed, 28 insertions, 0 deletions
diff --git a/Lib/test/crashers/borrowed_ref_4.py b/Lib/test/crashers/borrowed_ref_4.py
new file mode 100644
index 0000000000..d1fd8aad3a
--- /dev/null
+++ b/Lib/test/crashers/borrowed_ref_4.py
@@ -0,0 +1,28 @@
+"""
+PyDict_GetItem() returns a borrowed reference.
+This attack is against ceval.c:IMPORT_NAME, which calls an
+object (__builtin__.__import__) without holding a reference to it.
+"""
+
+import types
+import __builtin__
+
+
+class X(object):
+    def __getattr__(self, name):
+        # this is called with name == '__bases__' by PyObject_IsInstance()
+        # during the unbound method call -- it frees the unbound method
+        # itself before it invokes its im_func.
+        del __builtin__.__import__
+        return ()
+
+pseudoclass = X()
+
+class Y(object):
+    def __call__(self, *args):
+        # 'self' was freed already
+        print self, args
+
+# make an unbound method
+__builtin__.__import__ = types.MethodType(Y(), None, (pseudoclass, str))
+import spam
author	Armin Rigo <arigo@tunes.org>	2007-09-06 09:30:38 +0000
committer	Armin Rigo <arigo@tunes.org>	2007-09-06 09:30:38 +0000
commit	337841dac7f1936c78bacf60c88e085e7ca6231d (patch)
tree	f7ece2f347d2d14316f47b7deb335ae184395ace
parent	bddc3416f8ff0b1436e219aa8281ccad845d81f6 (diff)
download	cpython-git-337841dac7f1936c78bacf60c88e085e7ca6231d.tar.gz