[Rpm-maint] [PATCH] fix use-after-free within rpmfdFromPyObject's error-handling

David Malcolm dmalcolm at redhat.com
Thu Dec 22 23:16:25 UTC 2011


These lines within python/rpmfd-py.c: rpmfdFromPyObject
are the wrong way around:

	Py_DECREF(fdo);
 	PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));

If fdo was allocated by the call above to PyObject_CallFunctionObjArgs,
it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so
fdo->fd is reading from deallocated memory.

Found using the experimental static analysis tool I'm writing; the
HTML error report can be seen at:
  http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2011-12-22/rpmfd-py.c.rpmfdFromPyObject-refcount-errors.html
though for some reason the line numbering in that report is a little off.
---
 python/rpmfd-py.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/python/rpmfd-py.c b/python/rpmfd-py.c
index 2d443f3..a266ad6 100644
--- a/python/rpmfd-py.c
+++ b/python/rpmfd-py.c
@@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop)
     if (fdo == NULL) return 0;
 
     if (Ferror(fdo->fd)) {
-	Py_DECREF(fdo);
 	PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
+	Py_DECREF(fdo);
 	return 0;
     }
     *fdop = fdo;
-- 
1.7.6.2




More information about the Rpm-maint mailing list