]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fc4532a) | patch
[3.12] gh-106092: Fix use-after-free crash in frame_dealloc (GH-106875) (#107532)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 1 Aug 2023 10:42:55 +0000 (03:42 -0700)
committerGitHub <noreply@github.com>
Tue, 1 Aug 2023 10:42:55 +0000 (12:42 +0200)
commitb68faa3fa3214cda35d5a34639a7a62b6a98bc6c
tree8383ad55b2ed0a5bbb3347356b9ccd7f7bea3a08tree | snapshot
parentfc4532a55d23887bae49350d2f939c597d6b5b98commit | diff
[3.12] gh-106092: Fix use-after-free crash in frame_dealloc (GH-106875) (#107532)

gh-106092: Fix use-after-free crash in frame_dealloc (GH-106875)

It was possible for the trashcan to delay the deallocation of a
PyFrameObject until after its corresponding _PyInterpreterFrame has
already been freed.  So frame_dealloc needs to avoid dereferencing the
f_frame pointer unless it first checks that the pointer still points
to the interpreter frame within the frame object.

(cherry picked from commit 557b05c7a5334de5da3dc94c108c0121f10b9191)

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Co-authored-by: Anders Kaseorg <andersk@mit.edu>
Misc/NEWS.d/next/Core and Builtins/2023-07-18-16-13-51.gh-issue-106092.bObgRM.rst [new file with mode: 0644] blob
Objects/frameobject.c diff | blob | blame | history
Mirror of https://github.com/python/cpython.git