Thanks to Coverity, these were all reported by their Prevent tool.

All of these (except _lsprof.c) should be backported.  Particularly
the hotshot change which validates sys.path.  Can someone backport?

Author: nnorwitz

Lib/test/test_hotshot.py

@@ -107,6 +107,19 @@ def test_start_stop(self):
         profiler.close()
         os.unlink(self.logfn)
 
+    def test_bad_sys_path(self):
+        import sys
+        orig_path = sys.path
+        coverage = hotshot._hotshot.coverage
+        try:
+            # verify we require a list for sys.path
+            sys.path = 'abc'
+            self.assertRaises(RuntimeError, coverage, test_support.TESTFN)
+            # verify sys.path exists
+            del sys.path
+            self.assertRaises(RuntimeError, coverage, test_support.TESTFN)
+        finally:
+            sys.path = orig_path
 
 def test_main():
     test_support.run_unittest(HotShotTestCase)

Modules/_hotshot.c

@@ -473,6 +473,8 @@ logreader_tp_iternext(LogReaderObject *self)
     }
     else if (!err) {
         result = PyTuple_New(4);
+        if (result == NULL)
+            return NULL;
         PyTuple_SET_ITEM(result, 0, PyInt_FromLong(what));
         PyTuple_SET_ITEM(result, 2, PyInt_FromLong(fileno));
         if (s1 == NULL)
@@ -1455,6 +1457,10 @@ write_header(ProfilerObject *self)
                   getcwd(cwdbuffer, sizeof cwdbuffer));
 
     temp = PySys_GetObject("path");
+    if (temp == NULL || !PyList_Check(temp)) {
+	PyErr_SetString(PyExc_RuntimeError, "sys.path must be a list");
+    	return -1;
+    }
     len = PyList_GET_SIZE(temp);
     for (i = 0; i < len; ++i) {
         PyObject *item = PyList_GET_ITEM(temp, i);

Modules/_lsprof.c

@@ -850,6 +850,8 @@ init_lsprof(void)
 {
 	PyObject *module, *d;
 	module = Py_InitModule3("_lsprof", moduleMethods, "Fast profiler");
+	if (module == NULL)
+		return;
 	d = PyModule_GetDict(module);
 	if (PyType_Ready(&PyProfiler_Type) < 0)
 		return;

Modules/_sre.c

@@ -2983,7 +2983,7 @@ match_groupdict(MatchObject* self, PyObject* args, PyObject* kw)
     return result;
 
 failed:
-    Py_DECREF(keys);
+    Py_XDECREF(keys);
     Py_DECREF(result);
     return NULL;
 }

Modules/audioop.c

@@ -1013,6 +1013,8 @@ audioop_ratecv(PyObject *self, PyObject *args)
 		while (d < 0) {
 			if (len == 0) {
 				samps = PyTuple_New(nchannels);
+				if (samps == NULL)
+					goto exit;
 				for (chan = 0; chan < nchannels; chan++)
 					PyTuple_SetItem(samps, chan,
 						Py_BuildValue("(ii)",

Modules/regexmodule.c

@@ -535,7 +535,7 @@ regex_symcomp(PyObject *self, PyObject *args)
 
 	gdict = PyDict_New();
 	if (gdict == NULL || (npattern = symcomp(pattern, gdict)) == NULL) {
-		Py_DECREF(gdict);
+		Py_XDECREF(gdict);
 		Py_DECREF(pattern);
 		return NULL;
 	}