[3.6] bpo-30828: Fix out of bounds write in `asyncio.CFuture.remove_done_callback() (GH-2569) (#2590)
(cherry picked from commit 833a3b0d3707200daeaccdd218e8f18a190284aa)
diff --git a/Lib/test/test_asyncio/test_futures.py b/Lib/test/test_asyncio/test_futures.py
index 5d4b2d2..ce657fc 100644
--- a/Lib/test/test_asyncio/test_futures.py
+++ b/Lib/test/test_asyncio/test_futures.py
@@ -593,7 +593,7 @@
fut.remove_done_callback(evil())
- def test_schedule_callbacks_list_mutation(self):
+ def test_schedule_callbacks_list_mutation_1(self):
# see http://bugs.python.org/issue28963 for details
def mut(f):
@@ -606,6 +606,28 @@
fut.set_result(1)
test_utils.run_briefly(self.loop)
+ def test_schedule_callbacks_list_mutation_2(self):
+ # see http://bugs.python.org/issue30828 for details
+
+ fut = self._new_future()
+ fut.add_done_callback(str)
+
+ for _ in range(63):
+ fut.add_done_callback(id)
+
+ max_extra_cbs = 100
+ extra_cbs = 0
+
+ class evil:
+ def __eq__(self, other):
+ nonlocal extra_cbs
+ extra_cbs += 1
+ if extra_cbs < max_extra_cbs:
+ fut.add_done_callback(id)
+ return False
+
+ fut.remove_done_callback(evil())
+
@unittest.skipUnless(hasattr(futures, '_CFuture'),
'requires the C _asyncio module')
diff --git a/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst b/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst
new file mode 100644
index 0000000..8924962
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst
@@ -0,0 +1 @@
+Fix out of bounds write in `asyncio.CFuture.remove_done_callback()`.
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c
index 492b983..8fbd565 100644
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -531,9 +531,16 @@
goto fail;
}
if (ret == 0) {
- Py_INCREF(item);
- PyList_SET_ITEM(newlist, j, item);
- j++;
+ if (j < len) {
+ Py_INCREF(item);
+ PyList_SET_ITEM(newlist, j, item);
+ j++;
+ }
+ else {
+ if (PyList_Append(newlist, item)) {
+ goto fail;
+ }
+ }
}
}