mirrors
/
cpython
mirror of https://github.com/python/cpython.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[3.9] gh-92112: Fix crash triggered by an evil custom `mro()` (GH-92113) (GH-92372) 

(cherry picked from commit 85354ed78c)

Co-authored-by: Alexey Izbyshev <izbyshev@ispras.ru>
This commit is contained in:
Jelle Zijlstra 2022-05-16 09:47:35 -07:00 committed by GitHub
parent 518b238967
commit f82b32410b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Lib/test/test_descr.py
View File

@ -5686,6 +5686,23 @@ def mro(cls):
class A(metaclass=M): class A(metaclass=M):
pass pass
def test_disappearing_custom_mro(self):
"""
gh-92112: A custom mro() returning a result conflicting with
__bases__ and deleting itself caused a double free.
"""
class B:
pass
class M(DebugHelperMeta):
def mro(cls):
del M.mro
return (B,)
with self.assertRaises(TypeError):
class A(metaclass=M):
pass
if __name__ == "__main__": if __name__ == "__main__":
unittest.main() unittest.main()

1
Misc/NEWS.d/next/Core and Builtins/2022-05-01-10-58-38.gh-issue-92112.lLJemu.rst Normal file
View File

@ -0,0 +1 @@
Fix crash triggered by an evil custom ``mro()`` on a metaclass.

20
Objects/typeobject.c
View File

@ -317,25 +317,29 @@ type_mro_modified(PyTypeObject *type, PyObject *bases) {
Py_ssize_t i, n; Py_ssize_t i, n;
int custom = !Py_IS_TYPE(type, &PyType_Type); int custom = !Py_IS_TYPE(type, &PyType_Type);
int unbound; int unbound;
PyObject *mro_meth = NULL;
PyObject *type_mro_meth = NULL;
if (!_PyType_HasFeature(type, Py_TPFLAGS_HAVE_VERSION_TAG)) if (!_PyType_HasFeature(type, Py_TPFLAGS_HAVE_VERSION_TAG))
return; return;
if (custom) { if (custom) {
PyObject *mro_meth, *type_mro_meth;
mro_meth = lookup_maybe_method( mro_meth = lookup_maybe_method(
(PyObject *)type, &PyId_mro, &unbound); (PyObject *)type, &PyId_mro, &unbound);
if (mro_meth == NULL) if (mro_meth == NULL) {
goto clear; goto clear;
}
type_mro_meth = lookup_maybe_method( type_mro_meth = lookup_maybe_method(
(PyObject *)&PyType_Type, &PyId_mro, &unbound); (PyObject *)&PyType_Type, &PyId_mro, &unbound);
if (type_mro_meth == NULL) if (type_mro_meth == NULL) {
Py_DECREF(mro_meth);
goto clear; goto clear;
if (mro_meth != type_mro_meth) }
int custom_mro = (mro_meth != type_mro_meth);
Py_DECREF(mro_meth);
Py_DECREF(type_mro_meth);
if (custom_mro) {
goto clear; goto clear;
Py_XDECREF(mro_meth); }
Py_XDECREF(type_mro_meth);
} }
n = PyTuple_GET_SIZE(bases); n = PyTuple_GET_SIZE(bases);
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
@ -352,8 +356,6 @@ type_mro_modified(PyTypeObject *type, PyObject *bases) {
} }
return; return;
clear: clear:
Py_XDECREF(mro_meth);
Py_XDECREF(type_mro_meth);
type->tp_flags &= ~(Py_TPFLAGS_HAVE_VERSION_TAG| type->tp_flags &= ~(Py_TPFLAGS_HAVE_VERSION_TAG|
Py_TPFLAGS_VALID_VERSION_TAG); Py_TPFLAGS_VALID_VERSION_TAG);
} }