SF patch #1005778, Fix seg fault if list object is modified during list.index()
Backport candidate
diff --git a/Lib/test/list_tests.py b/Lib/test/list_tests.py
index d20d198..1233ad1 100644
--- a/Lib/test/list_tests.py
+++ b/Lib/test/list_tests.py
@@ -311,6 +311,18 @@
self.assertRaises(ValueError, a.index, 2, 0, 4)
self.assertEqual(a, self.type2test([-2, -1, 0, 1, 2]))
+ # Test modifying the list during index's iteration
+ class EvilCmp:
+ def __init__(self, victim):
+ self.victim = victim
+ def __eq__(self, other):
+ del self.victim[:]
+ return False
+ a = self.type2test()
+ a[:] = [EvilCmp(a) for _ in xrange(100)]
+ # This used to seg fault before patch #1005778
+ self.assertRaises(ValueError, a.index, None)
+
def test_reverse(self):
u = self.type2test([-2, -1, 0, 1, 2])
u2 = u[:]
diff --git a/Misc/NEWS b/Misc/NEWS
index c4a1cf1..c1c7867 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,10 @@
Core and builtins
-----------------
+- SF patch #1005778. Fix a seg fault if the list size changed while
+ calling list.index(). This could happen if a rich comparison function
+ modified the list.
+
- The ``func_name`` (a.k.a. ``__name__``) attribute of user-defined
functions is now writable.
diff --git a/Objects/listobject.c b/Objects/listobject.c
index e5d5b25..89cedc9 100644
--- a/Objects/listobject.c
+++ b/Objects/listobject.c
@@ -2186,9 +2186,7 @@
if (stop < 0)
stop = 0;
}
- else if (stop > self->ob_size)
- stop = self->ob_size;
- for (i = start; i < stop; i++) {
+ for (i = start; i < stop && i < self->ob_size; i++) {
int cmp = PyObject_RichCompareBool(self->ob_item[i], v, Py_EQ);
if (cmp > 0)
return PyInt_FromLong((long)i);