backport the security fix part of r67246

Lib/test/test_descr.py

@@ -4087,6 +4087,24 @@ def notimplemented():
                 check(iexpr, c, N1)
                 check(iexpr, c, N2)
 
+def test_lost_getattr():
+    # issue 4230
+    import gc
+    class EvilGetattribute(object):
+        def __getattr__(self, name):
+            raise AttributeError(name)
+        def __getattribute__(self, name):
+            del EvilGetattribute.__getattr__
+            for i in range(5):
+                gc.collect()
+            raise AttributeError(name)
+
+    try:
+        # This used to segfault
+        EvilGetattribute().attr
+    except AttributeError:
+        pass
+
 def test_main():
     weakref_segfault() # Must be first, somehow
     wrapper_segfault()
@@ -4183,6 +4201,7 @@ def test_main():
     vicious_descriptor_nonsense()
     test_init()
     notimplemented()
+    test_lost_getattr()
 
     if verbose: print "All OK"
 

Misc/NEWS

@@ -12,6 +12,9 @@ What's New in Python 2.4.6c1?
 Core and builtins
 -----------------
 
+- Issue #4230: Fix a crash when a class has a custom __getattr__ and an
+  __getattribute__ method that deletes the __getattr__ attribute.
+
 - Apply security patches from Apple. CVE-2008-2315.
 
 - Issue #2620: Overflow checking when allocating or reallocating memory

Objects/typeobject.c

@@ -4594,6 +4594,7 @@ slot_tp_getattr_hook(PyObject *self, PyObject *name)
 		tp->tp_getattro = slot_tp_getattro;
 		return slot_tp_getattro(self, name);
 	}
+	Py_INCREF(getattr);
 	getattribute = _PyType_Lookup(tp, getattribute_str);
 	if (getattribute == NULL ||
 	    (getattribute->ob_type == &PyWrapperDescr_Type &&
@@ -4606,6 +4607,7 @@ slot_tp_getattr_hook(PyObject *self, PyObject *name)
 		PyErr_Clear();
 		res = PyObject_CallFunction(getattr, "OO", self, name);
 	}
+	Py_DECREF(getattr);
 	return res;
 }