diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2024-06-11 07:28:45 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-11 07:28:45 (GMT) |
| commit | 52225c64f7cd55f2bfe8515d4daf1a5ed4be6d7b (patch) | |
| tree | a2ac89998c6c0baccb97dd71faa0442906fd77cb | |
| parent | 81eae217335fc66bec343b9f11f1b68fe85667bf (diff) | |
| download | cpython-52225c64f7cd55f2bfe8515d4daf1a5ed4be6d7b.zip cpython-52225c64f7cd55f2bfe8515d4daf1a5ed4be6d7b.tar.gz cpython-52225c64f7cd55f2bfe8515d4daf1a5ed4be6d7b.tar.bz2 | |
[3.13] gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303) (#120340)
gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303)
(cherry picked from commit 141babad9b4eceb83371bf19ba3a36b50dd05250)
Co-authored-by: Nikita Sobolev <mail@sobolevn.me>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
| -rw-r--r-- | Lib/test/test_list.py | 11 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst | 2 | ||||
| -rw-r--r-- | Objects/listobject.c | 9 |
3 files changed, 21 insertions, 1 deletions
diff --git a/Lib/test/test_list.py b/Lib/test/test_list.py index 0601b33..d21429f 100644 --- a/Lib/test/test_list.py +++ b/Lib/test/test_list.py @@ -234,6 +234,17 @@ class ListTest(list_tests.CommonTest): list4 = [1] self.assertFalse(list3 == list4) + def test_lt_operator_modifying_operand(self): + # See gh-120298 + class evil: + def __lt__(self, other): + other.clear() + return NotImplemented + + a = [[evil()]] + with self.assertRaises(TypeError): + a[0] < a + @cpython_only def test_preallocation(self): iterable = [0] * 10 diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst b/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst new file mode 100644 index 0000000..531d395 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst @@ -0,0 +1,2 @@ +Fix use-after free in ``list_richcompare_impl`` which can be invoked via +some specificly tailored evil input. diff --git a/Objects/listobject.c b/Objects/listobject.c index d09bb63..6829d5d 100644 --- a/Objects/listobject.c +++ b/Objects/listobject.c @@ -3382,7 +3382,14 @@ list_richcompare_impl(PyObject *v, PyObject *w, int op) } /* Compare the final item again using the proper operator */ - return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op); + PyObject *vitem = vl->ob_item[i]; + PyObject *witem = wl->ob_item[i]; + Py_INCREF(vitem); + Py_INCREF(witem); + PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op); + Py_DECREF(vitem); + Py_DECREF(witem); + return result; } static PyObject * |