bpo-27863: Fixed multiple crashes in ElementTree. (#765) (#903) (#963)
(cherry picked from commit 576def096ec7b64814e038f03290031f172886c3)
(cherry picked from commit a6b4e1902250d6f28ca6d083ce1c8d7e9b91974b)
diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
index 94dc5b7..d7f75c9 100644
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@ -164,8 +164,7 @@
LOCAL(PyObject*)
list_join(PyObject* list)
{
- /* join list elements (destroying the list in the process) */
-
+ /* join list elements */
PyObject* joiner;
PyObject* function;
PyObject* args;
@@ -173,12 +172,10 @@
switch (PyList_GET_SIZE(list)) {
case 0:
- Py_DECREF(list);
return PyString_FromString("");
case 1:
result = PyList_GET_ITEM(list, 0);
Py_INCREF(result);
- Py_DECREF(list);
return result;
}
@@ -196,9 +193,13 @@
}
args = PyTuple_New(1);
- if (!args)
+ if (!args) {
+ Py_DECREF(function);
+ Py_DECREF(joiner);
return NULL;
+ }
+ Py_INCREF(list);
PyTuple_SET_ITEM(args, 0, list);
result = PyObject_CallObject(function, args);
@@ -435,15 +436,17 @@
{
/* return borrowed reference to text attribute */
- PyObject* res = self->text;
+ PyObject *res = self->text;
if (JOIN_GET(res)) {
res = JOIN_OBJ(res);
if (PyList_CheckExact(res)) {
- res = list_join(res);
- if (!res)
+ PyObject *tmp = list_join(res);
+ if (!tmp)
return NULL;
- self->text = res;
+ self->text = tmp;
+ Py_DECREF(res);
+ res = tmp;
}
}
@@ -455,15 +458,17 @@
{
/* return borrowed reference to text attribute */
- PyObject* res = self->tail;
+ PyObject *res = self->tail;
if (JOIN_GET(res)) {
res = JOIN_OBJ(res);
if (PyList_CheckExact(res)) {
- res = list_join(res);
- if (!res)
+ PyObject *tmp = list_join(res);
+ if (!tmp)
return NULL;
- self->tail = res;
+ self->tail = tmp;
+ Py_DECREF(res);
+ res = tmp;
}
}
@@ -1730,6 +1735,37 @@
PyObject_Del(self);
}
+/* -------------------------------------------------------------------- */
+/* helpers for handling of arbitrary element-like objects */
+
+static void
+treebuilder_set_element_text_or_tail(PyObject **data, PyObject **dest)
+{
+ PyObject *tmp = JOIN_OBJ(*dest);
+ *dest = JOIN_SET(*data, PyList_CheckExact(*data));
+ *data = NULL;
+ Py_DECREF(tmp);
+}
+
+LOCAL(void)
+treebuilder_flush_data(TreeBuilderObject* self)
+{
+ ElementObject *element = self->last;
+
+ if (self->data) {
+ if (self->this == element) {
+ treebuilder_set_element_text_or_tail(
+ &self->data,
+ &element->text);
+ }
+ else {
+ treebuilder_set_element_text_or_tail(
+ &self->data,
+ &element->tail);
+ }
+ }
+}
+
LOCAL(int)
treebuilder_append_event(TreeBuilderObject *self, PyObject *action,
PyObject *node)
@@ -1764,20 +1800,7 @@
PyObject* node;
PyObject* this;
- if (self->data) {
- if (self->this == self->last) {
- Py_DECREF(JOIN_OBJ(self->last->text));
- self->last->text = JOIN_SET(
- self->data, PyList_CheckExact(self->data)
- );
- } else {
- Py_DECREF(JOIN_OBJ(self->last->tail));
- self->last->tail = JOIN_SET(
- self->data, PyList_CheckExact(self->data)
- );
- }
- self->data = NULL;
- }
+ treebuilder_flush_data(self);
node = element_new(tag, attrib);
if (!node)
@@ -1867,20 +1890,7 @@
{
ElementObject *item;
- if (self->data) {
- if (self->this == self->last) {
- Py_DECREF(JOIN_OBJ(self->last->text));
- self->last->text = JOIN_SET(
- self->data, PyList_CheckExact(self->data)
- );
- } else {
- Py_DECREF(JOIN_OBJ(self->last->tail));
- self->last->tail = JOIN_SET(
- self->data, PyList_CheckExact(self->data)
- );
- }
- self->data = NULL;
- }
+ treebuilder_flush_data(self);
if (self->index == 0) {
PyErr_SetString(