Skip to content

gh-92930: _pickle.c: Acquire strong references before calling save() #92931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sweeneyde merged 11 commits into from
Jun 11, 2022
Merged

gh-92930: _pickle.c: Acquire strong references before calling save() #92931

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
9b70755
Acquire strong references after PyDict_Next
sweeneyde May 18, 2022
7af44c4
simplify test
sweeneyde May 18, 2022
802a220
📜🤖 Added by blurb_it.
blurb-it[bot] May 18, 2022
a2a8e35
INCREF before save() in batch_list_exact
sweeneyde Jun 10, 2022
58ad6a2
Merge branch 'main' into picklecrasher
sweeneyde Jun 10, 2022
e48b31d
Add INCREF/DECREF for save_set
sweeneyde Jun 10, 2022
72b3dd5
Merge branch 'picklecrasher' of https://github.com/sweeneyde/cpython …
sweeneyde Jun 10, 2022
7b8f697
More tests
sweeneyde Jun 10, 2022
7133c2c
Check non-singleton set
sweeneyde Jun 10, 2022
a939d16
Update Misc/NEWS.d/next/Core and Builtins/2022-05-18-18-34-45.gh-issu…
sweeneyde Jun 10, 2022
370c44e
clean up test case, better name
sweeneyde Jun 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Acquire strong references after PyDict_Next
  • Loading branch information
@sweeneyde
sweeneyde committed May 18, 2022
commit 9b707556e04ba81b6f52607cf27565d4d395def2
39 changes: 39 additions & 0 deletions Lib/test/pickletester.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3035,6 +3035,45 @@ def check_array(arr):
# 2-D, non-contiguous
check_array(arr[::2])

def test_evil_class_mutating_dict(self):
from random import getrandbits

global Bad
class Bad:
def __eq__(self, other):
if not ENABLED:
return False
return getrandbits(4) == 0
def __hash__(self):
return getrandbits(1)
def __reduce__(self):
break_things()
return (Bad, (), ())
def __setstate__(self, *args):
break_things()
def __del__(self):
break_things()
def __getattr__(self):
break_things()

def break_things():
if ENABLED and getrandbits(6) == 0:
collection.clear()

for proto in protocols:
for _ in range(20):
ENABLED = False
collection = {Bad(): Bad() for _ in range(50)}
for bad in collection:
bad.bad = bad
bad.collection = collection
ENABLED = True
try:
self.loads(self.dumps(collection, proto))
except RuntimeError as e:
expected = "changed size during iteration"
self.assertIn(expected, str(e))


class BigmemPickleTests:

Expand Down
32 changes: 24 additions & 8 deletions Modules/_pickle.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3259,10 +3259,16 @@ batch_dict_exact(PicklerObject *self, PyObject *obj)
/* Special-case len(d) == 1 to save space. */
if (dict_size == 1) {
PyDict_Next(obj, &ppos, &key, &value);
if (save(self, key, 0) < 0)
return -1;
if (save(self, value, 0) < 0)
return -1;
Py_INCREF(key);
Py_INCREF(value);
if (save(self, key, 0) < 0) {
goto error;
}
if (save(self, value, 0) < 0) {
goto error;
}
Py_CLEAR(key);
Py_CLEAR(value);
if (_Pickler_Write(self, &setitem_op, 1) < 0)
return -1;
return 0;
Expand All @@ -3274,10 +3280,16 @@ batch_dict_exact(PicklerObject *self, PyObject *obj)
if (_Pickler_Write(self, &mark_op, 1) < 0)
return -1;
while (PyDict_Next(obj, &ppos, &key, &value)) {
if (save(self, key, 0) < 0)
return -1;
if (save(self, value, 0) < 0)
return -1;
Py_INCREF(key);
Py_INCREF(value);
if (save(self, key, 0) < 0) {
goto error;
}
if (save(self, value, 0) < 0) {
goto error;
}
Py_CLEAR(key);
Py_CLEAR(value);
if (++i == BATCHSIZE)
break;
}
Expand All @@ -3292,6 +3304,10 @@ batch_dict_exact(PicklerObject *self, PyObject *obj)

} while (i == BATCHSIZE);
return 0;
error:
Py_XDECREF(key);
Py_XDECREF(value);
return -1;
}

static int
Expand Down