Issue #6083: Fix multiple segmentation faults occured when PyArg_ParseTuple
parses nested mutating sequence.
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c
index e892030..599d90a 100644
--- a/Modules/_ctypes/_ctypes.c
+++ b/Modules/_ctypes/_ctypes.c
@@ -3294,23 +3294,37 @@
{
char *name;
int (* address)(void);
+ PyObject *ftuple;
PyObject *dll;
PyObject *obj;
PyCFuncPtrObject *self;
void *handle;
PyObject *paramflags = NULL;
- if (!PyArg_ParseTuple(args, "(O&O)|O", _get_name, &name, &dll, ¶mflags))
+ if (!PyArg_ParseTuple(args, "O|O", &ftuple, ¶mflags))
return NULL;
if (paramflags == Py_None)
paramflags = NULL;
- obj = PyObject_GetAttrString(dll, "_handle");
- if (!obj)
+ ftuple = PySequence_Tuple(ftuple);
+ if (!ftuple)
+ /* Here ftuple is a borrowed reference */
return NULL;
+
+ if (!PyArg_ParseTuple(ftuple, "O&O", _get_name, &name, &dll)) {
+ Py_DECREF(ftuple);
+ return NULL;
+ }
+
+ obj = PyObject_GetAttrString(dll, "_handle");
+ if (!obj) {
+ Py_DECREF(ftuple);
+ return NULL;
+ }
if (!PyInt_Check(obj) && !PyLong_Check(obj)) {
PyErr_SetString(PyExc_TypeError,
"the _handle attribute of the second argument must be an integer");
+ Py_DECREF(ftuple);
Py_DECREF(obj);
return NULL;
}
@@ -3319,6 +3333,7 @@
if (PyErr_Occurred()) {
PyErr_SetString(PyExc_ValueError,
"could not convert the _handle attribute to a pointer");
+ Py_DECREF(ftuple);
return NULL;
}
@@ -3333,6 +3348,7 @@
PyErr_Format(PyExc_AttributeError,
"function ordinal %d not found",
(WORD)(size_t)name);
+ Py_DECREF(ftuple);
return NULL;
}
#else
@@ -3346,9 +3362,12 @@
#else
PyErr_SetString(PyExc_AttributeError, ctypes_dlerror());
#endif
+ Py_DECREF(ftuple);
return NULL;
}
#endif
+ Py_INCREF(dll); /* for KeepRef */
+ Py_DECREF(ftuple);
if (!_validate_paramflags(type, paramflags))
return NULL;
@@ -3361,7 +3380,6 @@
*(void **)self->b_ptr = address;
- Py_INCREF((PyObject *)dll); /* for KeepRef */
if (-1 == KeepRef((CDataObject *)self, 0, dll)) {
Py_DECREF((PyObject *)self);
return NULL;
diff --git a/Modules/_functoolsmodule.c b/Modules/_functoolsmodule.c
index aa9eaee..6397ba9 100644
--- a/Modules/_functoolsmodule.c
+++ b/Modules/_functoolsmodule.c
@@ -290,10 +290,10 @@
}
PyObject *
-partial_setstate(partialobject *pto, PyObject *args)
+partial_setstate(partialobject *pto, PyObject *state)
{
PyObject *fn, *fnargs, *kw, *dict;
- if (!PyArg_ParseTuple(args, "(OOOO):__setstate__",
+ if (!PyArg_ParseTuple(state, "OOOO",
&fn, &fnargs, &kw, &dict))
return NULL;
Py_XDECREF(pto->fn);
@@ -317,7 +317,7 @@
static PyMethodDef partial_methods[] = {
{"__reduce__", (PyCFunction)partial_reduce, METH_NOARGS},
- {"__setstate__", (PyCFunction)partial_setstate, METH_VARARGS},
+ {"__setstate__", (PyCFunction)partial_setstate, METH_O},
{NULL, NULL} /* sentinel */
};
diff --git a/Modules/resource.c b/Modules/resource.c
index 9993b93..53a6c3e 100644
--- a/Modules/resource.c
+++ b/Modules/resource.c
@@ -145,10 +145,9 @@
{
struct rlimit rl;
int resource;
- PyObject *curobj, *maxobj;
+ PyObject *limits, *curobj, *maxobj;
- if (!PyArg_ParseTuple(args, "i(OO):setrlimit",
- &resource, &curobj, &maxobj))
+ if (!PyArg_ParseTuple(args, "iO:setrlimit", &resource, &limits))
return NULL;
if (resource < 0 || resource >= RLIM_NLIMITS) {
@@ -157,23 +156,36 @@
return NULL;
}
+ limits = PySequence_Tuple(limits);
+ if (!limits)
+ /* Here limits is a borrowed reference */
+ return NULL;
+
+ if (PyTuple_GET_SIZE(limits) != 2) {
+ PyErr_SetString(PyExc_ValueError,
+ "expected a tuple of 2 integers");
+ goto error;
+ }
+ curobj = PyTuple_GET_ITEM(limits, 0);
+ maxobj = PyTuple_GET_ITEM(limits, 1);
+
#if !defined(HAVE_LARGEFILE_SUPPORT)
rl.rlim_cur = PyInt_AsLong(curobj);
if (rl.rlim_cur == (rlim_t)-1 && PyErr_Occurred())
- return NULL;
+ goto error;
rl.rlim_max = PyInt_AsLong(maxobj);
if (rl.rlim_max == (rlim_t)-1 && PyErr_Occurred())
- return NULL;
+ goto error;
#else
/* The limits are probably bigger than a long */
rl.rlim_cur = PyLong_Check(curobj) ?
PyLong_AsLongLong(curobj) : PyInt_AsLong(curobj);
if (rl.rlim_cur == (rlim_t)-1 && PyErr_Occurred())
- return NULL;
+ goto error;
rl.rlim_max = PyLong_Check(maxobj) ?
PyLong_AsLongLong(maxobj) : PyInt_AsLong(maxobj);
if (rl.rlim_max == (rlim_t)-1 && PyErr_Occurred())
- return NULL;
+ goto error;
#endif
rl.rlim_cur = rl.rlim_cur & RLIM_INFINITY;
@@ -187,10 +199,15 @@
"not allowed to raise maximum limit");
else
PyErr_SetFromErrno(ResourceError);
- return NULL;
+ goto error;
}
+ Py_DECREF(limits);
Py_INCREF(Py_None);
return Py_None;
+
+ error:
+ Py_DECREF(limits);
+ return NULL;
}
static PyObject *