From: Yury Selivanov <yury@magic.io>
Date: Wed, 5 Jul 2017 18:03:10 +0000 (-0400)
Subject: [3.6] bpo-30828: Fix out of bounds write in `asyncio.CFuture.remove_done_callback... 
X-Git-Tag: v3.6.3rc1~263
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aaa4f991518611d101fba1ef3ecb18d7b385ad5b;p=python

[3.6] bpo-30828: Fix out of bounds write in `asyncio.CFuture.remove_done_callback() (GH-2569) (#2590)

(cherry picked from commit 833a3b0d3707200daeaccdd218e8f18a190284aa)
---

diff --git a/Lib/test/test_asyncio/test_futures.py b/Lib/test/test_asyncio/test_futures.py
index 5d4b2d2aa0..ce657fc1b6 100644
--- a/Lib/test/test_asyncio/test_futures.py
+++ b/Lib/test/test_asyncio/test_futures.py
@@ -593,7 +593,7 @@ class BaseFutureDoneCallbackTests():
 
         fut.remove_done_callback(evil())
 
-    def test_schedule_callbacks_list_mutation(self):
+    def test_schedule_callbacks_list_mutation_1(self):
         # see http://bugs.python.org/issue28963 for details
 
         def mut(f):
@@ -606,6 +606,28 @@ class BaseFutureDoneCallbackTests():
         fut.set_result(1)
         test_utils.run_briefly(self.loop)
 
+    def test_schedule_callbacks_list_mutation_2(self):
+        # see http://bugs.python.org/issue30828 for details
+
+        fut = self._new_future()
+        fut.add_done_callback(str)
+
+        for _ in range(63):
+            fut.add_done_callback(id)
+
+        max_extra_cbs = 100
+        extra_cbs = 0
+
+        class evil:
+            def __eq__(self, other):
+                nonlocal extra_cbs
+                extra_cbs += 1
+                if extra_cbs < max_extra_cbs:
+                    fut.add_done_callback(id)
+                return False
+
+        fut.remove_done_callback(evil())
+
 
 @unittest.skipUnless(hasattr(futures, '_CFuture'),
                      'requires the C _asyncio module')
diff --git a/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst b/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst
new file mode 100644
index 0000000000..8924962d07
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-07-04-13-10-52.bpo-30828.CLvEvV.rst
@@ -0,0 +1 @@
+Fix out of bounds write in `asyncio.CFuture.remove_done_callback()`.
diff --git a/Modules/_asynciomodule.c b/Modules/_asynciomodule.c
index 492b983597..8fbd565dd9 100644
--- a/Modules/_asynciomodule.c
+++ b/Modules/_asynciomodule.c
@@ -531,9 +531,16 @@ _asyncio_Future_remove_done_callback(FutureObj *self, PyObject *fn)
             goto fail;
         }
         if (ret == 0) {
-            Py_INCREF(item);
-            PyList_SET_ITEM(newlist, j, item);
-            j++;
+            if (j < len) {
+                Py_INCREF(item);
+                PyList_SET_ITEM(newlist, j, item);
+                j++;
+            }
+            else {
+                if (PyList_Append(newlist, item)) {
+                    goto fail;
+                }
+            }
         }
     }