From: Serhiy Storchaka <storchaka@gmail.com>
Date: Thu, 24 Dec 2015 09:53:16 +0000 (+0200)
Subject: Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
X-Git-Tag: v3.6.0a1~868
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ea8c43152fdaa508ec189062b09a470f1b4ba535;p=python

Issue #24103: Fixed possible use after free in ElementTree.XMLPullParser.
---

ea8c43152fdaa508ec189062b09a470f1b4ba535
diff --cc Modules/_elementtree.c
index 5908c725e1,2856bacc4a..f69ce29766
--- a/Modules/_elementtree.c
+++ b/Modules/_elementtree.c
@@@ -3578,12 -3595,12 +3578,12 @@@ static PyObject 
  _elementtree_XMLParser__setevents_impl(XMLParserObject *self,
                                         PyObject *events_queue,
                                         PyObject *events_to_report)
 -/*[clinic end generated code: output=1440092922b13ed1 input=59db9742910c6174]*/
 +/*[clinic end generated code: output=1440092922b13ed1 input=abf90830a1c3b0fc]*/
  {
      /* activate element event reporting */
-     Py_ssize_t i, seqlen;
+     Py_ssize_t i;
      TreeBuilderObject *target;
 -    PyObject *events_seq;
 +    PyObject *events_append, *events_seq;
  
      if (!TreeBuilder_CheckExact(self->target)) {
          PyErr_SetString(
@@@ -3596,11 -3613,8 +3596,10 @@@
  
      target = (TreeBuilderObject*) self->target;
  
 -    Py_INCREF(events_queue);
 -    Py_SETREF(target->events, events_queue);
 +    events_append = PyObject_GetAttrString(events_queue, "append");
 +    if (events_append == NULL)
 +        return NULL;
-     Py_XDECREF(target->events_append);
-     target->events_append = events_append;
++    Py_SETREF(target->events_append, events_append);
  
      /* clear out existing events */
      Py_CLEAR(target->start_event_obj);