just sort the items tuple directly (closes #24094)

833b6b90 · Benjamin Peterson · f3beac21 · 833b6b90 · 833b6b90 · 833b6b90
Commit 833b6b90 authored May 02, 2015 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 27 deletions

Lib/test/test_json/test_dump.py Lib/test/test_json/test_dump.py +19 -0

Misc/NEWS Misc/NEWS +3 -0

Modules/_json.c Modules/_json.c +3 -27

No files found.
--- a/Lib/test/test_json/test_dump.py
+++ b/Lib/test/test_json/test_dump.py
@@ -28,6 +28,25 @@ class TestDump:
        self.assertEqual(self.dumps(a, default=crasher),
                 '[null, null, null, null, null]')

+    # Issue 24094
+    def test_encode_evil_dict(self):
+        class D(dict):
+            def keys(self):
+                return L
+
+        class X:
+            def __hash__(self):
+                del L[0]
+                return 1337
+
+            def __lt__(self, o):
+                return 0
+
+        L = [X() for i in range(1122)]
+        d = D()
+        d[1337] = "true.dat"
+        self.assertEqual(self.dumps(d, sort_keys=True), '{"1337": "true.dat"}')
+

 class TestPyDump(TestDump, PyTest): pass


--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -19,6 +19,9 @@ Core and Builtins
 Library
 -------

+- Issue #24094: Fix possible crash in json.encode with poorly behaved dict
+  subclasses.
+
 - Issue #23367: Fix possible overflows in the unicodedata module.

 - Issue #23361: Fix possible overflow in Windows subprocess creation code.

--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -1527,35 +1527,11 @@ encoder_listencode_dict(PyEncoderObject *s, _PyAccu *acc,
        */
    }

-    if (PyObject_IsTrue(s->sort_keys)) {
-        /* First sort the keys then replace them with (key, value) tuples. */
-        Py_ssize_t i, nitems;
-        items = PyMapping_Keys(dct);
-        if (items == NULL)
-            goto bail;
-        if (!PyList_Check(items)) {
-            PyErr_SetString(PyExc_ValueError, "keys must return list");
-            goto bail;
-        }
-        if (PyList_Sort(items) < 0)
-            goto bail;
-        nitems = PyList_GET_SIZE(items);
-        for (i = 0; i < nitems; i++) {
-            PyObject *key, *value;
-            key = PyList_GET_ITEM(items, i);
-            value = PyDict_GetItem(dct, key);
-            item = PyTuple_Pack(2, key, value);
-            if (item == NULL)
-                goto bail;
-            PyList_SET_ITEM(items, i, item);
-            Py_DECREF(key);
-        }
-    }
-    else {
-        items = PyMapping_Items(dct);
-    }
+    items = PyMapping_Items(dct);
    if (items == NULL)
        goto bail;
+    if (PyObject_IsTrue(s->sort_keys) && PyList_Sort(items) < 0)
+        goto bail;
    it = PyObject_GetIter(items);
    Py_DECREF(items);
    if (it == NULL)