# xmlparser_setevents(XMLParserObject *self, PyObject* args)# {#     ...#     /* clear out existing events */#     Py_CLEAR(target->start_event_obj);# 1   Py_CLEAR(target->end_event_obj);#     Py_CLEAR(target->start_ns_event_obj);#     Py_CLEAR(target->end_ns_event_obj);# #     ...# #     seqlen = PySequence_Size(events_seq);#     for (i = 0; i < seqlen; ++i) {# 3       PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i);#         ...# #         if (event_name == NULL) {#             ...#             return NULL;#         } else if (strcmp(event_name, "start") == 0) {#             ...#         } else if (strcmp(event_name, "end") == 0) {#             Py_INCREF(event_name_obj);# 2           Py_XDECREF(target->end_event_obj);#             target->end_event_obj = event_name_obj;#         }#         ...#       }#     ...#   }# # This one leverages nested _setevents invocations. First invocation sets # target->end_event_obj to S1 instance. On seconds invocation, # target->end_event_obj has refcnt==1, so DECREF at line 1 triggers S1.__del__().# Destructor invokes _setevents again and sets target->end_event_obj to a S3 # instance (with refcnt==1). After we return from nested call at line 1, # execution continues until it hits an "end" element. At line 2 S3.__del__() is# called and it deallocates "events_seq". This triggers a controlled OOB (we can# call it a use after free too) read at line 3. We can control a PyObject pointer.# # Program received signal SIGSEGV, Segmentation fault.# 0x4068563b in xmlparser_setevents (self=0x40669e4c, args=([], [])) at /home/p/Python-3.4.1/Modules/_elementtree.c:3560# 3560            PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i);# (gdb) print i# $1 = 1337# (gdb) print *(PyListObject*)events_seq# $2 = {ob_base = {ob_base = {_ob_next = 0x40669df4, _ob_prev = 0x4055f814, ob_refcnt = 3, ob_type = 0x830e1c0 <PyList_Type>}, #     ob_size = 0}, ob_item = 0x0, allocated = 0}#

ping

ping

Proposed patch fixes both this issue andissue24104. With the special macro proposed inissue20440 it can be better.

New changesetdeda5b5160d2 by Serhiy Storchaka in branch '2.7':Issue#24103: Fixed possible use after free in ElementTree.iterparse().https://hg.python.org/cpython/rev/deda5b5160d2New changeseted62cf0cf256 by Serhiy Storchaka in branch '3.5':Issue#24103: Fixed possible use after free in ElementTree.XMLPullParser.https://hg.python.org/cpython/rev/ed62cf0cf256New changeset8a14af800f96 by Serhiy Storchaka in branch 'default':Issue#24103: Fixed possible use after free in ElementTree.XMLPullParser.https://hg.python.org/cpython/rev/8a14af800f96