Argument Clinicstr_converter generate such code whenencoding is set
(see functiontest_str_converter_encoding in file Lib/test/clinic.test):

/* -- snip -- */if (!_PyArg_ParseStack(args,nargs,"esesetes#et#:test_str_converter_encoding","idna",&a,"idna",&b,"idna",&c,"idna",&d,&d_length,"idna",&e,&e_length)) {        gotoexit;    }return_value=test_str_converter_encoding_impl(module,a,b,c,d,d_length,e,e_length);exit:/* Cleanup for a */if (a) {PyMem_FREE(a);    }/* Cleanup for b */if (b) {PyMem_FREE(b);    }/* Cleanup for c */if (c) {PyMem_FREE(c);    }/* -- snip -- */

If parsinga successes,a will be assigned an address points to an allocated memory.
After that, if parsingb fails, the memory whicha points to is freed by function_PyArg_ParseStack,
and_PyArg_ParseStack returns 0, then control flow goes to label "exit".
At this time,a is not NULL, so the memory it points to is freed again, which cause a double-free problem and a runtime crash.

This bug is found in#96178 "Argument Clinic functional test".

• PR:gh-99240: Fix double-free bug in Argument Clinic str_converter generated code #99241

• PR:gh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing #99890

• PR:[3.11] gh-99240: Fix double-free bug in Argument Clinic str_converter generated code (GH-99241) #100352

• PR:[3.10] gh-99240: Fix double-free bug in Argument Clinic str_converter generated code (GH-99241) #100353

• PR:[3.11] gh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (GH-99890) #100385

• PR:[3.10] gh-99240: Reset pointer to NULL when the pointed memory is freed in argument parsing (GH-99890) #100386