backport the security fix part of r67246

benjaminp · benjaminp · commit 38ce9c294b00 · 2008-11-17T23:27:02.000Z
diff --git a/Lib/test/test_descr.py b/Lib/test/test_descr.py
@@ -4087,6 +4087,24 @@ def check(expr, x, y):
                 check(iexpr, c, N1)
                 check(iexpr, c, N2)
 
+def test_lost_getattr():
+    # issue 4230
+    import gc
+    class EvilGetattribute(object):
+        def __getattr__(self, name):
+            raise AttributeError(name)
+        def __getattribute__(self, name):
+            del EvilGetattribute.__getattr__
+            for i in range(5):
+                gc.collect()
+            raise AttributeError(name)
+
+    try:
+        # This used to segfault
+        EvilGetattribute().attr
+    except AttributeError:
+        pass
+
 def test_main():
     weakref_segfault() # Must be first, somehow
     wrapper_segfault()
@@ -4183,6 +4201,7 @@ def test_main():
     vicious_descriptor_nonsense()
     test_init()
     notimplemented()
+    test_lost_getattr()
 
     if verbose: print "All OK"
 
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -12,6 +12,9 @@ What's New in Python 2.4.6c1?
 Core and builtins
 -----------------
 
+- Issue #4230: Fix a crash when a class has a custom __getattr__ and an
+  __getattribute__ method that deletes the __getattr__ attribute.
+
 - Apply security patches from Apple. CVE-2008-2315.
 
 - Issue #2620: Overflow checking when allocating or reallocating memory
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
@@ -4594,6 +4594,7 @@ slot_tp_getattr_hook(PyObject *self, PyObject *name)
 		tp->tp_getattro = slot_tp_getattro;
 		return slot_tp_getattro(self, name);
 	}
+	Py_INCREF(getattr);
 	getattribute = _PyType_Lookup(tp, getattribute_str);
 	if (getattribute == NULL ||
 	    (getattribute->ob_type == &PyWrapperDescr_Type &&
@@ -4606,6 +4607,7 @@ slot_tp_getattr_hook(PyObject *self, PyObject *name)
 		PyErr_Clear();
 		res = PyObject_CallFunction(getattr, "OO", self, name);
 	}
+	Py_DECREF(getattr);
 	return res;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4594,6 +4594,7 @@ slot_tp_getattr_hook(PyObject self, PyObject name)`
`4594`	`4594`	`tp->tp_getattro = slot_tp_getattro;`
`4595`	`4595`	`return slot_tp_getattro(self, name);`
`4596`	`4596`	`}`
	`4597`	`+ Py_INCREF(getattr);`
`4597`	`4598`	`getattribute = _PyType_Lookup(tp, getattribute_str);`
`4598`	`4599`	`if (getattribute == NULL \|\|`
`4599`	`4600`	`(getattribute->ob_type == &PyWrapperDescr_Type &&`
`@@ -4606,6 +4607,7 @@ slot_tp_getattr_hook(PyObject self, PyObject name)`
`4606`	`4607`	`PyErr_Clear();`
`4607`	`4608`	`res = PyObject_CallFunction(getattr, "OO", self, name);`
`4608`	`4609`	`}`
	`4610`	`+ Py_DECREF(getattr);`
`4609`	`4611`	`return res;`
`4610`	`4612`	`}`
`4611`	`4613`