Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / bf2bd8f8a1d88de60c114de957f50fe2433e3937^! / .
commitbf2bd8f8a1d88de60c114de957f50fe2433e3937[log] [tgz]
authorVictor Stinner <vstinner@redhat.com>Fri Sep 07 10:15:31 2018 +0200
committerGitHub <noreply@github.com>Fri Sep 07 10:15:31 2018 +0200
treedc873ddf65e8e83967d8634378abcdea139b8e6a
parent9734024ec65311e33936faa83fb1cb249ef0de9d [diff]
bpo-25750: fix refcounts in type_getattro() (GH-6118) (GH-9091)

When calling tp_descr_get(self, obj, type), make sure that
we own a strong reference to "self".

(cherry picked from commit 8f735485acf2e35a75d2fa019feb8f905598c4e5)
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst b/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst
new file mode 100644
index 0000000..09ffb36
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-03-14-21-42-17.bpo-25750.lxgkQz.rst

@@ -0,0 +1,2 @@
+Fix rare Python crash due to bad refcounting in ``type_getattro()`` if a
+descriptor deletes itself from the class. Patch by Jeroen Demeyer.

diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index d576b82..844fb00 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c

@@ -2611,6 +2611,7 @@
     PyTypeObject *metatype = Py_TYPE(type);
     PyObject *meta_attribute, *attribute;
     descrgetfunc meta_get;
+    PyObject* res;
 
     if (!PyString_Check(name)) {
         PyErr_Format(PyExc_TypeError,
@@ -2632,6 +2633,7 @@
     meta_attribute = _PyType_Lookup(metatype, name);
 
     if (meta_attribute != NULL) {
+        Py_INCREF(meta_attribute);
         meta_get = Py_TYPE(meta_attribute)->tp_descr_get;
 
         if (meta_get != NULL && PyDescr_IsData(meta_attribute)) {
@@ -2639,10 +2641,11 @@
              * writes. Assume the attribute is not overridden in
              * type's tp_dict (and bases): call the descriptor now.
              */
-            return meta_get(meta_attribute, (PyObject *)type,
-                            (PyObject *)metatype);
+            res = meta_get(meta_attribute, (PyObject *)type,
+                           (PyObject *)metatype);
+            Py_DECREF(meta_attribute);
+            return res;
         }
-        Py_INCREF(meta_attribute);
     }
 
     /* No data descriptor found on metatype. Look in tp_dict of this
@@ -2650,18 +2653,21 @@
     attribute = _PyType_Lookup(type, name);
     if (attribute != NULL) {
         /* Implement descriptor functionality, if any */
-        descrgetfunc local_get = Py_TYPE(attribute)->tp_descr_get;
+        descrgetfunc local_get;
+        Py_INCREF(attribute);
+        local_get = Py_TYPE(attribute)->tp_descr_get;
 
         Py_XDECREF(meta_attribute);
 
         if (local_get != NULL) {
             /* NULL 2nd argument indicates the descriptor was
              * found on the target object itself (or a base)  */
-            return local_get(attribute, (PyObject *)NULL,
-                             (PyObject *)type);
+            res = local_get(attribute, (PyObject *)NULL,
+                            (PyObject *)type);
+            Py_DECREF(attribute);
+            return res;
         }
 
-        Py_INCREF(attribute);
         return attribute;
     }