[Rpm-maint] [PATCH] fix use-after-free within rpmfdFromPyObject's error-handling
David Malcolm
dmalcolm at redhat.com
Thu Dec 22 23:16:25 UTC 2011
These lines within python/rpmfd-py.c: rpmfdFromPyObject
are the wrong way around:
Py_DECREF(fdo);
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
If fdo was allocated by the call above to PyObject_CallFunctionObjArgs,
it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so
fdo->fd is reading from deallocated memory.
Found using the experimental static analysis tool I'm writing; the
HTML error report can be seen at:
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2011-12-22/rpmfd-py.c.rpmfdFromPyObject-refcount-errors.html
though for some reason the line numbering in that report is a little off.
---
python/rpmfd-py.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/python/rpmfd-py.c b/python/rpmfd-py.c
index 2d443f3..a266ad6 100644
--- a/python/rpmfd-py.c
+++ b/python/rpmfd-py.c
@@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop)
if (fdo == NULL) return 0;
if (Ferror(fdo->fd)) {
- Py_DECREF(fdo);
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
+ Py_DECREF(fdo);
return 0;
}
*fdop = fdo;
--
1.7.6.2
More information about the Rpm-maint
mailing list