Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit bc4ded9

Browse files
serhiy-storchakaserhiy-storchaka
committed
Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
1 parent 5a57ade commit bc4ded9

2 files changed

Lines changed: 15 additions & 19 deletions

File tree

Misc/NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ Core and Builtins
3131
Library
3232
-------
3333

34+
- Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
35+
3436
- Issue #25860: os.fwalk() no longer skips remaining directories when error
3537
occurs. Original patch by Samson Lee.
3638

Modules/_elementtree.c

Lines changed: 13 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3598,7 +3598,7 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
35983598
/*[clinic end generated code: output=1440092922b13ed1 input=59db9742910c6174]*/
35993599
{
36003600
/* activate element event reporting */
3601-
Py_ssize_t i, seqlen;
3601+
Py_ssize_t i;
36023602
TreeBuilderObject *target;
36033603
PyObject *events_seq;
36043604

@@ -3614,8 +3614,7 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
36143614
target = (TreeBuilderObject*) self->target;
36153615

36163616
Py_INCREF(events_queue);
3617-
Py_XDECREF(target->events);
3618-
target->events = events_queue;
3617+
Py_SETREF(target->events, events_queue);
36193618

36203619
/* clear out existing events */
36213620
Py_CLEAR(target->start_event_obj);
@@ -3634,46 +3633,41 @@ _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
36343633
return NULL;
36353634
}
36363635

3637-
seqlen = PySequence_Size(events_seq);
3638-
for (i = 0; i < seqlen; ++i) {
3636+
for (i = 0; i < PySequence_Size(events_seq); ++i) {
36393637
PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i);
36403638
char *event_name = NULL;
36413639
if (PyUnicode_Check(event_name_obj)) {
3642-
event_name = _PyUnicode_AsString(event_name_obj);
3640+
event_name = PyUnicode_AsUTF8(event_name_obj);
36433641
} else if (PyBytes_Check(event_name_obj)) {
36443642
event_name = PyBytes_AS_STRING(event_name_obj);
36453643
}
3646-
36473644
if (event_name == NULL) {
36483645
Py_DECREF(events_seq);
36493646
PyErr_Format(PyExc_ValueError, "invalid events sequence");
36503647
return NULL;
3651-
} else if (strcmp(event_name, "start") == 0) {
3652-
Py_INCREF(event_name_obj);
3653-
target->start_event_obj = event_name_obj;
3648+
}
3649+
3650+
Py_INCREF(event_name_obj);
3651+
if (strcmp(event_name, "start") == 0) {
3652+
Py_SETREF(target->start_event_obj, event_name_obj);
36543653
} else if (strcmp(event_name, "end") == 0) {
3655-
Py_INCREF(event_name_obj);
3656-
Py_XDECREF(target->end_event_obj);
3657-
target->end_event_obj = event_name_obj;
3654+
Py_SETREF(target->end_event_obj, event_name_obj);
36583655
} else if (strcmp(event_name, "start-ns") == 0) {
3659-
Py_INCREF(event_name_obj);
3660-
Py_XDECREF(target->start_ns_event_obj);
3661-
target->start_ns_event_obj = event_name_obj;
3656+
Py_SETREF(target->start_ns_event_obj, event_name_obj);
36623657
EXPAT(SetNamespaceDeclHandler)(
36633658
self->parser,
36643659
(XML_StartNamespaceDeclHandler) expat_start_ns_handler,
36653660
(XML_EndNamespaceDeclHandler) expat_end_ns_handler
36663661
);
36673662
} else if (strcmp(event_name, "end-ns") == 0) {
3668-
Py_INCREF(event_name_obj);
3669-
Py_XDECREF(target->end_ns_event_obj);
3670-
target->end_ns_event_obj = event_name_obj;
3663+
Py_SETREF(target->end_ns_event_obj, event_name_obj);
36713664
EXPAT(SetNamespaceDeclHandler)(
36723665
self->parser,
36733666
(XML_StartNamespaceDeclHandler) expat_start_ns_handler,
36743667
(XML_EndNamespaceDeclHandler) expat_end_ns_handler
36753668
);
36763669
} else {
3670+
Py_DECREF(event_name_obj);
36773671
Py_DECREF(events_seq);
36783672
PyErr_Format(PyExc_ValueError, "unknown event '%s'", event_name);
36793673
return NULL;

0 commit comments

Comments
 (0)