May 7, 2025 · May 7, 2025 · May 11, 2025 · May 11, 2025 · May 11, 2025 · May 12, 2025
diff --git a/Modules/_sre/sre.c b/Modules/_sre/sre.c

    if (start < 0) {
        start += self->groups;
        if (start < 0)
        if (start < 0) {
            start = 0;
        }
    }
    if (stop < 0) {
        stop += self->groups;
    }
    for (i = start; i < stop; i++) {
        PyObject* group = match_getslice_by_index(self, i, Py_None);
        if (group == NULL)
        if (group == NULL) {
            return NULL;
        }
        int cmp = PyObject_RichCompareBool(group, value, Py_EQ);
        Py_DECREF(group);
        if (cmp > 0)
        if (cmp > 0) {
            return PyLong_FromSsize_t(i);
        else if (cmp < 0)
        }
        else if (cmp < 0) {
            return NULL;
        }
    }
    PyErr_SetString(PyExc_ValueError, "match.index(x): x not in match");
    return NULL;

    for (i = 0; i < self->groups; i++) {
        PyObject* group = match_getslice_by_index(self, i, Py_None);
        if (group == NULL)
        if (group == NULL) {
            return NULL;
        }
        int cmp = PyObject_RichCompareBool(group, value, Py_EQ);
        Py_DECREF(group);
        if (cmp > 0)
        if (cmp > 0) {
            count++;
        else if (cmp < 0)
        }
        else if (cmp < 0) {
            return NULL;
        }
    }
    return PyLong_FromSsize_t(count);
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2657,8 +2657,9 @@ _sre_SRE_Match_index_impl(MatchObject self, PyObject value,

		if (start < 0) {
		start += self->groups;
		if (start < 0)
		if (start < 0) {
		start = 0;
		}
		}
		if (stop < 0) {
		stop += self->groups;
Expand All		@@ -2668,14 +2669,17 @@ _sre_SRE_Match_index_impl(MatchObject self, PyObject value,
		}
		for (i = start; i < stop; i++) {
		PyObject* group = match_getslice_by_index(self, i, Py_None);
		if (group == NULL)
		if (group == NULL) {
		return NULL;
		}
		int cmp = PyObject_RichCompareBool(group, value, Py_EQ);
Copy link Member ZeroIntensityMay 11, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. I'm pretty sure we need to incref the value in case the`__bool__` releases a reference. cc@picnixz who fixed a bunch of issues related to that. Copy link ContributorAuthor vberlierMay 11, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Not sure if this is what you're talking about, but I think this is already handled by`PyObject_RichCompareBool` out of the box. It's a wrapper around`PyObject_RichCompare` that unwraps and decref the returned object. Copy link Member picnixzMay 15, 2025• edited Loading Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. It's not about the returned object, it's about the inputs.`PyObject_RichCompareBool` and`PyObject_RichCompare` can call arbitrary Python code in general, so if such arbitrary code actually releases or changes their inputs, we may end up with what we call a "use-after-free" (and usually it leads to a SIGSEV, but in other occurrences it can be a security issue). In order to determine whether there is a UAF or not, you need to check whether`group` or`value` can actually be obtained from pure Python code and be changed by the call to`__eq__`. In this case,`value` can be modified in place by its call, but`_sre_SRE_Match_index_impl` should have already held a strong reference on it, so there shouldn't be a UAF. Copy link ContributorAuthor vberlierMay 15, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. I see, thanks for the explanation!
		Py_DECREF(group);
		if (cmp > 0)
		if (cmp > 0) {
		return PyLong_FromSsize_t(i);
		else if (cmp < 0)
		}
		else if (cmp < 0) {
		return NULL;
		}
		}
		PyErr_SetString(PyExc_ValueError, "match.index(x): x not in match");
picnixz marked this conversation as resolved. Show resolvedHide resolved
		return NULL;
Expand All		@@ -2699,14 +2703,17 @@ _sre_SRE_Match_count_impl(MatchObject self, PyObject value)

		for (i = 0; i < self->groups; i++) {
		PyObject* group = match_getslice_by_index(self, i, Py_None);
		if (group == NULL)
		if (group == NULL) {
		return NULL;
		}
		int cmp = PyObject_RichCompareBool(group, value, Py_EQ);
		Py_DECREF(group);
		if (cmp > 0)
		if (cmp > 0) {
picnixz marked this conversation as resolved. Show resolvedHide resolved Copy link Member picnixzMay 15, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Now you can use an`else if` here
		count++;
		else if (cmp < 0)
		}
		else if (cmp < 0) {
		return NULL;
		}
		}
		return PyLong_FromSsize_t(count);
		}
Expand Down