Commitbd3aa0b

authored

gh-126703: Fix possible use after free in pycfunction freelist (GH-132319)

1 parent3feac7a commitbd3aa0bCopy full SHA for bd3aa0b

File tree

-1

lines changed

-1

lines changed

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fix possible use after free in cases where a method's definition has the same lifetime as its ``self``.

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -173,12 +173,16 @@ meth_dealloc(PyObject *self)`
`173`	`173`	`if (m->m_weakreflist!=NULL) {`
`174`	`174`	`PyObject_ClearWeakRefs((PyObject*)m);`
`175`	`175`	`}`
	`176`	`+// We need to access ml_flags here rather than later.`
	`177`	+// `m->m_ml` might have the same lifetime
	`178`	+// as `m_self` when it's dynamically allocated.
	`179`	`+intml_flags=m->m_ml->ml_flags;`
`176`	`180`	`// Dereference class before m_self: PyCFunction_GET_CLASS accesses`
`177`	`181`	`// PyMethodDef m_ml, which could be kept alive by m_self`
`178`	`182`	`Py_XDECREF(PyCFunction_GET_CLASS(m));`
`179`	`183`	`Py_XDECREF(m->m_self);`
`180`	`184`	`Py_XDECREF(m->m_module);`
`181`		`-if (m->m_ml->ml_flags&METH_METHOD) {`
	`185`	`+if (ml_flags&METH_METHOD) {`
`182`	`186`	`assert(Py_IS_TYPE(self,&PyCMethod_Type));`
`183`	`187`	`_Py_FREELIST_FREE(pycmethodobject,m,PyObject_GC_Del);`
`184`	`188`	`}`

Comments

(0)