Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.

ea8c4315 · Serhiy Storchaka · f0069403 · bc4ded95 · ea8c4315 · ea8c4315
Commit ea8c4315 authored Dec 24, 2015 by Serhiy Storchaka
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 19 deletions

Misc/NEWS Misc/NEWS +2 -0

Modules/_elementtree.c Modules/_elementtree.c +13 -19

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -118,6 +118,8 @@ Core and Builtins
 Library
 -------
+- Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
 - Issue #25860: os.fwalk() no longer skips remaining directories when error
  occurs.  Original patch by Samson Lee.

--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -3581,7 +3581,7 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
 /*[clinic end generated code: output=1440092922b13ed1 input=abf90830a1c3b0fc]*/
 {
    /* activate element event reporting */
-    Py_ssize_t i, seqlen;
+    Py_ssize_t i;
    TreeBuilderObject *target;
    PyObject *events_append, *events_seq;
@@ -3599,8 +3599,7 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
    events_append = PyObject_GetAttrString(events_queue, "append");
    if (events_append == NULL)
        return NULL;
-    Py_XDECREF(target->events_append);
+    Py_SETREF(target->events_append, events_append);
-    target->events_append = events_append;
    /* clear out existing events */
    Py_CLEAR(target->start_event_obj);
@@ -3619,46 +3618,41 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
        return NULL;
    }
-    seqlen = PySequence_Size(events_seq);
+    for (i = 0; i < PySequence_Size(events_seq); ++i) {
-    for (i = 0; i < seqlen; ++i) {
        PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i);
        char *event_name = NULL;
        if (PyUnicode_Check(event_name_obj)) {
-            event_name = _PyUnicode_AsString(event_name_obj);
+            event_name = PyUnicode_AsUTF8(event_name_obj);
        } else if (PyBytes_Check(event_name_obj)) {
            event_name = PyBytes_AS_STRING(event_name_obj);
        }
        if (event_name == NULL) {
            Py_DECREF(events_seq);
            PyErr_Format(PyExc_ValueError, "invalid events sequence");
            return NULL;
-        } else if (strcmp(event_name, "start") == 0) {
+        }
-            Py_INCREF(event_name_obj);
-            target->start_event_obj = event_name_obj;
+        Py_INCREF(event_name_obj);
+        if (strcmp(event_name, "start") == 0) {
+            Py_SETREF(target->start_event_obj, event_name_obj);
        } else if (strcmp(event_name, "end") == 0) {
-            Py_INCREF(event_name_obj);
+            Py_SETREF(target->end_event_obj, event_name_obj);
-            Py_XDECREF(target->end_event_obj);
-            target->end_event_obj = event_name_obj;
        } else if (strcmp(event_name, "start-ns") == 0) {
-            Py_INCREF(event_name_obj);
+            Py_SETREF(target->start_ns_event_obj, event_name_obj);
-            Py_XDECREF(target->start_ns_event_obj);
-            target->start_ns_event_obj = event_name_obj;
            EXPAT(SetNamespaceDeclHandler)(
                self->parser,
                (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
                (XML_EndNamespaceDeclHandler) expat_end_ns_handler
                );
        } else if (strcmp(event_name, "end-ns") == 0) {
-            Py_INCREF(event_name_obj);
+            Py_SETREF(target->end_ns_event_obj, event_name_obj);
-            Py_XDECREF(target->end_ns_event_obj);
-            target->end_ns_event_obj = event_name_obj;
            EXPAT(SetNamespaceDeclHandler)(
                self->parser,
                (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
                (XML_EndNamespaceDeclHandler) expat_end_ns_handler
                );
        } else {
+            Py_DECREF(event_name_obj);
            Py_DECREF(events_seq);
            PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name);
            return NULL;