changeset:   99671:deda5b5160d2
branch:      2.7
parent:      99668:23296440b654
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Thu Dec 24 11:51:24 2015 +0200
files:       Misc/NEWS Modules/_elementtree.c
description:
Issue #24103: Fixed possible use after free in ElementTree.iterparse().


diff -r 23296440b654 -r deda5b5160d2 Misc/NEWS
--- a/Misc/NEWS	Thu Dec 24 10:35:35 2015 +0200
+++ b/Misc/NEWS	Thu Dec 24 11:51:24 2015 +0200
@@ -29,6 +29,8 @@
 Library
 -------
 
+- Issue #24103: Fixed possible use after free in ElementTree.iterparse().
+
 - Issue #20954: _args_from_interpreter_flags used by multiprocessing and some
   tests no longer behaves incorrectly in the presence of the PYTHONHASHSEED
   environment variable.
diff -r 23296440b654 -r deda5b5160d2 Modules/_elementtree.c
--- a/Modules/_elementtree.c	Thu Dec 24 10:35:35 2015 +0200
+++ b/Modules/_elementtree.c	Thu Dec 24 11:51:24 2015 +0200
@@ -2751,8 +2751,7 @@
     target = (TreeBuilderObject*) self->target;
 
     Py_INCREF(events);
-    Py_XDECREF(target->events);
-    target->events = events;
+    Py_SETREF(target->events, events);
 
     /* clear out existing events */
     Py_CLEAR(target->start_event_obj);
@@ -2774,33 +2773,28 @@
         char* event;
         if (!PyString_Check(item))
             goto error;
+        Py_INCREF(item);
         event = PyString_AS_STRING(item);
         if (strcmp(event, "start") == 0) {
-            Py_INCREF(item);
-            target->start_event_obj = item;
+            Py_SETREF(target->start_event_obj, item);
         } else if (strcmp(event, "end") == 0) {
-            Py_INCREF(item);
-            Py_XDECREF(target->end_event_obj);
-            target->end_event_obj = item;
+            Py_SETREF(target->end_event_obj, item);
         } else if (strcmp(event, "start-ns") == 0) {
-            Py_INCREF(item);
-            Py_XDECREF(target->start_ns_event_obj);
-            target->start_ns_event_obj = item;
+            Py_SETREF(target->start_ns_event_obj, item);
             EXPAT(SetNamespaceDeclHandler)(
                 self->parser,
                 (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
                 (XML_EndNamespaceDeclHandler) expat_end_ns_handler
                 );
         } else if (strcmp(event, "end-ns") == 0) {
-            Py_INCREF(item);
-            Py_XDECREF(target->end_ns_event_obj);
-            target->end_ns_event_obj = item;
+            Py_SETREF(target->end_ns_event_obj, item);
             EXPAT(SetNamespaceDeclHandler)(
                 self->parser,
                 (XML_StartNamespaceDeclHandler) expat_start_ns_handler,
                 (XML_EndNamespaceDeclHandler) expat_end_ns_handler
                 );
         } else {
+            Py_DECREF(item);
             PyErr_Format(
                 PyExc_ValueError,
                 "unknown event '%s'", event