summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorDavid Malcolm <dmalcolm@redhat.com>2011-12-22 18:16:25 -0500
committerAles Kozumplik <akozumpl@redhat.com>2012-01-02 08:39:17 +0100
commitfdba2538855d8ad94bbe5e9c21c8564d01b20f1e (patch)
tree7c7186614d6c28530bf8f578244338d51da6df62 /python
parent9cb5d5ccfbcfc454aace1a538199c76b0d931479 (diff)
downloadlibrpm-tizen-fdba2538855d8ad94bbe5e9c21c8564d01b20f1e.tar.gz
librpm-tizen-fdba2538855d8ad94bbe5e9c21c8564d01b20f1e.tar.bz2
librpm-tizen-fdba2538855d8ad94bbe5e9c21c8564d01b20f1e.zip
fix use-after-free within rpmfdFromPyObject's error-handling
These lines within python/rpmfd-py.c: rpmfdFromPyObject are the wrong way around: Py_DECREF(fdo); PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd)); If fdo was allocated by the call above to PyObject_CallFunctionObjArgs, it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so fdo->fd is reading from deallocated memory. Signed-off-by: Ales Kozumplik <akozumpl@redhat.com>
Diffstat (limited to 'python')
-rw-r--r--python/rpmfd-py.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/python/rpmfd-py.c b/python/rpmfd-py.c
index 2d443f36f..a266ad686 100644
--- a/python/rpmfd-py.c
+++ b/python/rpmfd-py.c
@@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop)
if (fdo == NULL) return 0;
if (Ferror(fdo->fd)) {
- Py_DECREF(fdo);
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
+ Py_DECREF(fdo);
return 0;
}
*fdop = fdo;