diff options
author | David Malcolm <dmalcolm@redhat.com> | 2011-12-22 18:16:25 -0500 |
---|---|---|
committer | Ales Kozumplik <akozumpl@redhat.com> | 2012-01-02 08:39:17 +0100 |
commit | fdba2538855d8ad94bbe5e9c21c8564d01b20f1e (patch) | |
tree | 7c7186614d6c28530bf8f578244338d51da6df62 /python | |
parent | 9cb5d5ccfbcfc454aace1a538199c76b0d931479 (diff) | |
download | librpm-tizen-fdba2538855d8ad94bbe5e9c21c8564d01b20f1e.tar.gz librpm-tizen-fdba2538855d8ad94bbe5e9c21c8564d01b20f1e.tar.bz2 librpm-tizen-fdba2538855d8ad94bbe5e9c21c8564d01b20f1e.zip |
fix use-after-free within rpmfdFromPyObject's error-handling
These lines within python/rpmfd-py.c: rpmfdFromPyObject
are the wrong way around:
Py_DECREF(fdo);
PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
If fdo was allocated by the call above to PyObject_CallFunctionObjArgs,
it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so
fdo->fd is reading from deallocated memory.
Signed-off-by: Ales Kozumplik <akozumpl@redhat.com>
Diffstat (limited to 'python')
-rw-r--r-- | python/rpmfd-py.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/python/rpmfd-py.c b/python/rpmfd-py.c index 2d443f36f..a266ad686 100644 --- a/python/rpmfd-py.c +++ b/python/rpmfd-py.c @@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop) if (fdo == NULL) return 0; if (Ferror(fdo->fd)) { - Py_DECREF(fdo); PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd)); + Py_DECREF(fdo); return 0; } *fdop = fdo; |