fix use-after-free within rpmfdFromPyObject's error-handling
These lines within python/rpmfd-py.c: rpmfdFromPyObject are the wrong way around: Py_DECREF(fdo); PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd)); If fdo was allocated by the call above to PyObject_CallFunctionObjArgs, it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so fdo->fd is reading from deallocated memory. Signed-off-by: Ales Kozumplik <akozumpl@redhat.com>
This commit is contained in:
parent
9cb5d5ccfb
commit
fdba253885
|
@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop)
|
||||||
if (fdo == NULL) return 0;
|
if (fdo == NULL) return 0;
|
||||||
|
|
||||||
if (Ferror(fdo->fd)) {
|
if (Ferror(fdo->fd)) {
|
||||||
Py_DECREF(fdo);
|
|
||||||
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
|
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
|
||||||
|
Py_DECREF(fdo);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
*fdop = fdo;
|
*fdop = fdo;
|
||||||
|
|
Loading…
Reference in New Issue