From: Armin Rigo <arigo@tunes.org>
Date: Wed, 5 Sep 2007 07:51:21 +0000 (+0000)
Subject: PyDict_GetItem() returns a borrowed reference.
X-Git-Tag: v2.6a1~1343
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=362bb5150352603394aacc1d7d0592938962fe92;p=python

PyDict_GetItem() returns a borrowed reference.
There are probably a number of places that are open to attacks
such as the following one, in bltinmodule.c:min_max().
---

diff --git a/Lib/test/crashers/borrowed_ref_3.py b/Lib/test/crashers/borrowed_ref_3.py
new file mode 100644
index 0000000000..f241108635
--- /dev/null
+++ b/Lib/test/crashers/borrowed_ref_3.py
@@ -0,0 +1,14 @@
+"""
+PyDict_GetItem() returns a borrowed reference.
+There are probably a number of places that are open to attacks
+such as the following one, in bltinmodule.c:min_max().
+"""
+
+class KeyFunc(object):
+    def __call__(self, n):
+        del d['key']
+        return 1
+
+
+d = {'key': KeyFunc()}
+min(range(10), **d)