Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Closed
Description
cpython/Python/generated_cases.c.h
Lines 1648 to 1667 in36b139a
| TARGET(BUILD_SET) { | |
| PyObject**values=&PEEK(oparg); | |
| PyObject*set; | |
| set=PySet_New(NULL); | |
| interr=0; | |
| for (inti=0;i<oparg;i++) { | |
| PyObject*item=values[i]; | |
| if (err==0) | |
| err=PySet_Add(set,item); | |
| Py_DECREF(item); | |
| } | |
| if (err!=0) { | |
| Py_DECREF(set); | |
| if (true) {STACK_SHRINK(oparg); gotoerror; } | |
| } | |
| STACK_SHRINK(oparg); | |
| STACK_GROW(1); | |
| POKE(1,set); | |
| DISPATCH(); | |
| } |
&
Lines 1303 to 1316 in36b139a
| inst(BUILD_SET, (values[oparg]--set)) { | |
| set=PySet_New(NULL); | |
| interr=0; | |
| for (inti=0;i<oparg;i++) { | |
| PyObject*item=values[i]; | |
| if (err==0) | |
| err=PySet_Add(set,item); | |
| Py_DECREF(item); | |
| } | |
| if (err!=0) { | |
| Py_DECREF(set); | |
| ERROR_IF(true,error); | |
| } | |
| } |
Doesn't take in account case, whenPySet_New(NULL) returns NULL.
We are checking thatPySet_Add doesn't return a non-zero(-1) value.
But,PySet_Add has a check, that first argument is a subclass ofset. Which fails, if we will pass(PyObject *) NULL as first argument. Why?
#definePySet_Check(ob) \ (Py_IS_TYPE((ob), &PySet_Type) || \ PyType_IsSubtype(Py_TYPE(ob), &PySet_Type))
PySet_Add uses this macross. But,Py_TYPE will be failed with segfault when try to accessob_type of(PyObject *) NULL.
Implementation ofPy_TYPE:
staticinlinePyTypeObject*Py_TYPE(PyObject*ob) {returnob->ob_type;}
(gdb) call (PyObject *) NULL$1 = (PyObject *)0x0(gdb) call $1->ob_typeCannot access memory ataddress0x8
So, we should add check, that value ofPySet_New is not-null.