folkslinux
/
rpm
mirror of https://github.com/rpm-software-management/rpm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix use-after-free within rpmfdFromPyObject's error-handling 

These lines within python/rpmfd-py.c: rpmfdFromPyObject
are the wrong way around:

	Py_DECREF(fdo);
 	PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));

If fdo was allocated by the call above to PyObject_CallFunctionObjArgs,
it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so
fdo->fd is reading from deallocated memory.

Signed-off-by: Ales Kozumplik <akozumpl@redhat.com>
This commit is contained in:
David Malcolm 2011-12-22 18:16:25 -05:00 committed by Ales Kozumplik
parent 9cb5d5ccfb
commit fdba253885
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
python/rpmfd-py.c
View File

@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop)
if (fdo == NULL) return 0; if (fdo == NULL) return 0;
if (Ferror(fdo->fd)) { if (Ferror(fdo->fd)) {
Py_DECREF(fdo);
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd)); PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
Py_DECREF(fdo);
return 0; return 0;
} }
*fdop = fdo; *fdop = fdo;