Skip to content

C
cpython
Commit 20a003be authored by Serhiy Storchaka's avatar Serhiy Storchaka
Browse files
Options

Issue #24103: Fixed possible use after free in ElementTree.iterparse().

parent 5951f230
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 13 deletions
Misc/NEWS
View file @ 20a003be
...@@ -29,6 +29,8 @@ Core and Builtins ...@@ -29,6 +29,8 @@ Core and Builtins
Library Library
------- -------
- Issue #24103: Fixed possible use after free in ElementTree.iterparse().
- Issue #20954: _args_from_interpreter_flags used by multiprocessing and some - Issue #20954: _args_from_interpreter_flags used by multiprocessing and some
tests no longer behaves incorrectly in the presence of the PYTHONHASHSEED tests no longer behaves incorrectly in the presence of the PYTHONHASHSEED
environment variable. environment variable.
......
Modules/_elementtree.c
View file @ 20a003be
...@@ -2751,8 +2751,7 @@ xmlparser_setevents(XMLParserObject* self, PyObject* args) ...@@ -2751,8 +2751,7 @@ xmlparser_setevents(XMLParserObject* self, PyObject* args)
target = (TreeBuilderObject*) self->target; target = (TreeBuilderObject*) self->target;
Py_INCREF(events); Py_INCREF(events);
Py_XDECREF(target->events); Py_SETREF(target->events, events);
target->events = events;
/* clear out existing events */ /* clear out existing events */
Py_CLEAR(target->start_event_obj); Py_CLEAR(target->start_event_obj);
...@@ -2774,33 +2773,28 @@ xmlparser_setevents(XMLParserObject* self, PyObject* args) ...@@ -2774,33 +2773,28 @@ xmlparser_setevents(XMLParserObject* self, PyObject* args)
char* event; char* event;
if (!PyString_Check(item)) if (!PyString_Check(item))
goto error; goto error;
Py_INCREF(item);
event = PyString_AS_STRING(item); event = PyString_AS_STRING(item);
if (strcmp(event, "start") == 0) { if (strcmp(event, "start") == 0) {
Py_INCREF(item); Py_SETREF(target->start_event_obj, item);
target->start_event_obj = item;
} else if (strcmp(event, "end") == 0) { } else if (strcmp(event, "end") == 0) {
Py_INCREF(item); Py_SETREF(target->end_event_obj, item);
Py_XDECREF(target->end_event_obj);
target->end_event_obj = item;
} else if (strcmp(event, "start-ns") == 0) { } else if (strcmp(event, "start-ns") == 0) {
Py_INCREF(item); Py_SETREF(target->start_ns_event_obj, item);
Py_XDECREF(target->start_ns_event_obj);
target->start_ns_event_obj = item;
EXPAT(SetNamespaceDeclHandler)( EXPAT(SetNamespaceDeclHandler)(
self->parser, self->parser,
(XML_StartNamespaceDeclHandler) expat_start_ns_handler, (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
(XML_EndNamespaceDeclHandler) expat_end_ns_handler (XML_EndNamespaceDeclHandler) expat_end_ns_handler
); );
} else if (strcmp(event, "end-ns") == 0) { } else if (strcmp(event, "end-ns") == 0) {
Py_INCREF(item); Py_SETREF(target->end_ns_event_obj, item);
Py_XDECREF(target->end_ns_event_obj);
target->end_ns_event_obj = item;
EXPAT(SetNamespaceDeclHandler)( EXPAT(SetNamespaceDeclHandler)(
self->parser, self->parser,
(XML_StartNamespaceDeclHandler) expat_start_ns_handler, (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
(XML_EndNamespaceDeclHandler) expat_end_ns_handler (XML_EndNamespaceDeclHandler) expat_end_ns_handler
); );
} else { } else {
Py_DECREF(item);
PyErr_Format( PyErr_Format(
PyExc_ValueError, PyExc_ValueError,
"unknown event '%s'", event "unknown event '%s'", event
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7