gh-151403: Fix use-after-free when an argv item's __fspath__ mutates args (GH-151404)

---------

Co-authored-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>

diff --git a/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
new file mode 100644 (file)
index 0000000..ca779ed
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
@@ -0,0 +1,3 @@
+Fixed a crash in :class:`subprocess.Popen` (and ``_posixsubprocess.fork_exec``)
+when an ``argv`` item's :meth:`~os.PathLike.__fspath__` concurrently mutates the
+``args`` sequence being converted.

diff --git a/Modules/_posixsubprocess.c b/Modules/_posixsubprocess.c
index ddc27c4a5b7356a5c60e6077e61d79a7ccc0671f..2aa3923f68e66ad56ce40455bdb14858510a707d 100644 (file)
--- a/Modules/_posixsubprocess.c
+++ b/Modules/_posixsubprocess.c
@@ -1090,8 +1090,14 @@ subprocess_fork_exec_impl(PyObject *module, PyObject *process_args,
                 goto cleanup;
             }
             borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num);
-            if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0)
+            /* borrowed_arg is only borrowed; its __fspath__() may run Python
+               that drops fast_args' last reference to it. */
+            Py_INCREF(borrowed_arg);
+            if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0) {
+                Py_DECREF(borrowed_arg);
                 goto cleanup;
+            }
+            Py_DECREF(borrowed_arg);
             PyTuple_SET_ITEM(converted_args, arg_num, converted_arg);
         }