Issue #6083: Fix multiple segmentation faults occured when PyArg_ParseTuple

serhiy-storchaka · serhiy-storchaka · commit b6a53404b782 · 2013-02-04T12:57:16.000+02:00
parses nested mutating sequence.
diff --git a/Lib/ctypes/test/test_returnfuncptrs.py b/Lib/ctypes/test/test_returnfuncptrs.py
@@ -33,5 +33,33 @@ def test_without_prototype(self):
         self.assertRaises(ArgumentError, strchr, b"abcdef", 3.0)
         self.assertRaises(TypeError, strchr, b"abcdef")
 
+    def test_from_dll(self):
+        dll = CDLL(_ctypes_test.__file__)
+        # _CFuncPtr instances are now callable with a tuple argument
+        # which denotes a function name and a dll:
+        strchr = CFUNCTYPE(c_char_p, c_char_p, c_char)(("strchr", dll))
+        self.assertTrue(strchr(b"abcdef", b"b"), "bcdef")
+        self.assertEqual(strchr(b"abcdef", b"x"), None)
+        self.assertRaises(ArgumentError, strchr, b"abcdef", 3.0)
+        self.assertRaises(TypeError, strchr, b"abcdef")
+
+    # Issue 6083: Reference counting bug
+    def test_test_from_dll_refcount(self):
+        class BadSequence(tuple):
+            def __getitem__(self, key):
+                if key == 0:
+                    return "strchr"
+                if key == 1:
+                    return CDLL(_ctypes_test.__file__)
+                raise IndexError
+
+        # _CFuncPtr instances are now callable with a tuple argument
+        # which denotes a function name and a dll:
+        strchr = CFUNCTYPE(c_char_p, c_char_p, c_char)(BadSequence(("strchr", CDLL(_ctypes_test.__file__))))
+        self.assertTrue(strchr(b"abcdef", b"b"), "bcdef")
+        self.assertEqual(strchr(b"abcdef", b"x"), None)
+        self.assertRaises(ArgumentError, strchr, b"abcdef", 3.0)
+        self.assertRaises(TypeError, strchr, b"abcdef")
+
 if __name__ == "__main__":
     unittest.main()
diff --git a/Lib/test/test_functools.py b/Lib/test/test_functools.py
@@ -194,7 +194,25 @@ def test_pickle(self):
         self.assertEqual(signature(f), signature(f_copy))
 
 class TestPartialC(BaseTestC, TestPartial):
-    pass
+
+    # Issue 6083: Reference counting bug
+    def test_setstate_refcount(self):
+        class BadSequence:
+            def __len__(self):
+                return 4
+            def __getitem__(self, key):
+                if key == 0:
+                    return max
+                elif key == 1:
+                    return tuple(range(1000000))
+                elif key in (2, 3):
+                    return {}
+                raise IndexError
+
+        f = self.partial(object)
+        self.assertRaisesRegex(SystemError,
+                "new style getargs format but argument is not a tuple",
+                f.__setstate__, BadSequence())
 
 class TestPartialPy(BaseTestPy, TestPartial):
 
@@ -204,7 +222,7 @@ def test_pickle(self):
     def test_repr(self):
         raise unittest.SkipTest("Python implementation of partial uses own repr")
 
-class TestPartialCSubclass(BaseTestC, TestPartial):
+class TestPartialCSubclass(TestPartialC):
 
     class PartialSubclass(c_functools.partial):
         pass
diff --git a/Lib/test/test_resource.py b/Lib/test/test_resource.py
@@ -107,6 +107,23 @@ def test_getrusage(self):
         except (ValueError, AttributeError):
             pass
 
+    # Issue 6083: Reference counting bug
+    def test_setrusage_refcount(self):
+        try:
+            limits = resource.getrlimit(resource.RLIMIT_CPU)
+        except AttributeError:
+            pass
+        else:
+            class BadSequence:
+                def __len__(self):
+                    return 2
+                def __getitem__(self, key):
+                    if key in (0, 1):
+                        return len(tuple(range(1000000)))
+                    raise IndexError
+
+            resource.setrlimit(resource.RLIMIT_CPU, BadSequence())
+
 def test_main(verbose=None):
     support.run_unittest(ResourceTest)
 
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -235,6 +235,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #6083: Fix multiple segmentation faults occured when PyArg_ParseTuple
+  parses nested mutating sequence.
+
 - Issue #5289: Fix ctypes.util.find_library on Solaris.
 
 - Issue #17106: Fix a segmentation fault in io.TextIOWrapper when an underlying
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c
@@ -3188,23 +3188,37 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
 {
     char *name;
     int (* address)(void);
+    PyObject *ftuple;
     PyObject *dll;
     PyObject *obj;
     PyCFuncPtrObject *self;
     void *handle;
     PyObject *paramflags = NULL;
 
-    if (!PyArg_ParseTuple(args, "(O&O)|O", _get_name, &name, &dll, &paramflags))
+    if (!PyArg_ParseTuple(args, "O|O", &ftuple, &paramflags))
         return NULL;
     if (paramflags == Py_None)
         paramflags = NULL;
 
+    ftuple = PySequence_Tuple(ftuple);
+    if (!ftuple)
+        /* Here ftuple is a borrowed reference */
+        return NULL;
+
+    if (!PyArg_ParseTuple(ftuple, "O&O", _get_name, &name, &dll)) {
+        Py_DECREF(ftuple);
+        return NULL;
+    }
+
     obj = PyObject_GetAttrString(dll, "_handle");
-    if (!obj)
+    if (!obj) {
+        Py_DECREF(ftuple);
         return NULL;
+    }
     if (!PyLong_Check(obj)) {
         PyErr_SetString(PyExc_TypeError,
                         "the _handle attribute of the second argument must be an integer");
+        Py_DECREF(ftuple);
         Py_DECREF(obj);
         return NULL;
     }
@@ -3213,6 +3227,7 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
     if (PyErr_Occurred()) {
         PyErr_SetString(PyExc_ValueError,
                         "could not convert the _handle attribute to a pointer");
+        Py_DECREF(ftuple);
         return NULL;
     }
 
@@ -3227,6 +3242,7 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
             PyErr_Format(PyExc_AttributeError,
                          "function ordinal %d not found",
                          (WORD)(size_t)name);
+        Py_DECREF(ftuple);
         return NULL;
     }
 #else
@@ -3240,9 +3256,12 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
 #else
         PyErr_SetString(PyExc_AttributeError, ctypes_dlerror());
 #endif
+        Py_DECREF(ftuple);
         return NULL;
     }
 #endif
+    Py_INCREF(dll); /* for KeepRef */
+    Py_DECREF(ftuple);
     if (!_validate_paramflags(type, paramflags))
         return NULL;
 
@@ -3255,7 +3274,6 @@ PyCFuncPtr_FromDll(PyTypeObject *type, PyObject *args, PyObject *kwds)
 
     *(void **)self->b_ptr = address;
 
-    Py_INCREF((PyObject *)dll); /* for KeepRef */
     if (-1 == KeepRef((CDataObject *)self, 0, dll)) {
         Py_DECREF((PyObject *)self);
         return NULL;
diff --git a/Modules/_functoolsmodule.c b/Modules/_functoolsmodule.c
@@ -218,10 +218,10 @@ partial_reduce(partialobject *pto, PyObject *unused)
 }
 
 static PyObject *
-partial_setstate(partialobject *pto, PyObject *args)
+partial_setstate(partialobject *pto, PyObject *state)
 {
     PyObject *fn, *fnargs, *kw, *dict;
-    if (!PyArg_ParseTuple(args, "(OOOO):__setstate__",
+    if (!PyArg_ParseTuple(state, "OOOO",
                           &fn, &fnargs, &kw, &dict))
         return NULL;
     Py_XDECREF(pto->fn);
@@ -245,7 +245,7 @@ partial_setstate(partialobject *pto, PyObject *args)
 
 static PyMethodDef partial_methods[] = {
     {"__reduce__", (PyCFunction)partial_reduce, METH_NOARGS},
-    {"__setstate__", (PyCFunction)partial_setstate, METH_VARARGS},
+    {"__setstate__", (PyCFunction)partial_setstate, METH_O},
     {NULL,              NULL}           /* sentinel */
 };
 
diff --git a/Modules/resource.c b/Modules/resource.c
@@ -142,10 +142,9 @@ resource_setrlimit(PyObject *self, PyObject *args)
 {
     struct rlimit rl;
     int resource;
-    PyObject *curobj, *maxobj;
+    PyObject *limits, *curobj, *maxobj;
 
-    if (!PyArg_ParseTuple(args, "i(OO):setrlimit",
-                          &resource, &curobj, &maxobj))
+    if (!PyArg_ParseTuple(args, "iO:setrlimit", &resource, &limits))
         return NULL;
 
     if (resource < 0 || resource >= RLIM_NLIMITS) {
@@ -154,21 +153,34 @@ resource_setrlimit(PyObject *self, PyObject *args)
         return NULL;
     }
 
+    limits = PySequence_Tuple(limits);
+    if (!limits)
+        /* Here limits is a borrowed reference */
+        return NULL;
+
+    if (PyTuple_GET_SIZE(limits) != 2) {
+        PyErr_SetString(PyExc_ValueError,
+                        "expected a tuple of 2 integers");
+        goto error;
+    }
+    curobj = PyTuple_GET_ITEM(limits, 0);
+    maxobj = PyTuple_GET_ITEM(limits, 1);
+
 #if !defined(HAVE_LARGEFILE_SUPPORT)
     rl.rlim_cur = PyLong_AsLong(curobj);
     if (rl.rlim_cur == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
     rl.rlim_max = PyLong_AsLong(maxobj);
     if (rl.rlim_max == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
 #else
     /* The limits are probably bigger than a long */
     rl.rlim_cur = PyLong_AsLongLong(curobj);
     if (rl.rlim_cur == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
     rl.rlim_max = PyLong_AsLongLong(maxobj);
     if (rl.rlim_max == (rlim_t)-1 && PyErr_Occurred())
-        return NULL;
+        goto error;
 #endif
 
     rl.rlim_cur = rl.rlim_cur & RLIM_INFINITY;
@@ -182,10 +194,15 @@ resource_setrlimit(PyObject *self, PyObject *args)
                             "not allowed to raise maximum limit");
         else
             PyErr_SetFromErrno(PyExc_OSError);
-        return NULL;
+        goto error;
     }
+    Py_DECREF(limits);
     Py_INCREF(Py_None);
     return Py_None;
+
+  error:
+    Py_DECREF(limits);
+    return NULL;
 }
 
 static PyObject *
