git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	mpage <mpage@meta.com>
	Wed, 5 Mar 2025 18:42:09 +0000 (10:42 -0800)
committer	GitHub <noreply@github.com>
	Wed, 5 Mar 2025 18:42:09 +0000 (10:42 -0800)
commit	d7bb7c781771650a4edcdee9dfd1ab9c4083e9fd
tree	0d034ceff4e04d2eff9cfadc40e0da39768aaab5	tree \| snapshot
parent	2904ec2273762df58645a8e245b2281884855b8c	commit \| diff

gh-118331: Fix a couple of issues when list allocation fails (#130811)

* Fix use after free in list objects

Set the items pointer in the list object to NULL after the items array
is freed during list deallocation. Otherwise, we can end up with a list
object added to the free list that contains a pointer to an already-freed
items array.

* Mark `_PyList_FromStackRefStealOnSuccess` as escaping

I think technically it's not escaping, because the only object that
can be decrefed if allocation fails is an exact list, which cannot
execute arbitrary code when it is destroyed. However, this seems less
intrusive than trying to special cases objects in the assert in `_Py_Dealloc`
that checks for non-null stackpointers and shouldn't matter for performance.

Include/internal/pycore_opcode_metadata.h		diff \| blob \| blame \| history
Include/internal/pycore_uop_metadata.h		diff \| blob \| blame \| history
Lib/test/test_list.py		diff \| blob \| blame \| history
Objects/listobject.c		diff \| blob \| blame \| history
Python/executor_cases.c.h		diff \| blob \| blame \| history
Python/generated_cases.c.h		diff \| blob \| blame \| history
Tools/cases_generator/analyzer.py		diff \| blob \| blame \| history