bpo-29438: fixed use-after-free in key sharing dict (#17)

2294f3ae · INADA Naoki · GitHub · e7ffb99f · 2294f3ae · 2294f3ae
Commit 2294f3ae authored Feb 12, 2017 by INADA Naoki Committed by GitHub Feb 12, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

Misc/NEWS Misc/NEWS +2 -0

Objects/dictobject.c Objects/dictobject.c +7 -3

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 3.7.0 alpha 1?
 Core and Builtins
 -----------------
+- bpo-29438: Fixed use-after-free problem in key sharing dict.
 - Issue #29319: Prevent RunMainFromImporter overwriting sys.path[0].
 - Issue #29337: Fixed possible BytesWarning when compare the code objects.

--- a/Objects/dictobject.c
+++ b/Objects/dictobject.c
@@ -4352,15 +4352,19 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
        }
        if (value == NULL) {
            res = PyDict_DelItem(dict, key);
-            if (cached != ((PyDictObject *)dict)->ma_keys) {
+            // Since key sharing dict doesn't allow deletion, PyDict_DelItem()
+            // always converts dict to combined form.
+            if ((cached = CACHED_KEYS(tp)) != NULL) {
                CACHED_KEYS(tp) = NULL;
                DK_DECREF(cached);
            }
        }
        else {
-            int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
+            int was_shared = (cached == ((PyDictObject *)dict)->ma_keys);
            res = PyDict_SetItem(dict, key, value);
-            if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
+            if (was_shared &&
+                    (cached = CACHED_KEYS(tp)) != NULL &&
+                    cached != ((PyDictObject *)dict)->ma_keys) {
                /* PyDict_SetItem() may call dictresize and convert split table
                 * into combined table.  In such case, convert it to split
                 * table again and update type's shared key only when this is