git.ipfire.org Git - thirdparty/Python/cpython.git/commit

[3.14] gh-148660: Fix use-after-free in OrderedDict.copy() on reentrant mutation (GH-151573) (#152541)

gh-148660: Fix use-after-free in OrderedDict.copy() on reentrant mutation (GH-151573)

* gh-148660: Fix use-after-free in OrderedDict.copy() on reentrant mutation

OrderedDict.copy() walks the internal linked list while building the new
dict. The loop body can run arbitrary Python (a key's __eq__/__hash__, or
a subclass __getitem__/__setitem__) which can clear the source dict and
free the nodes being iterated.

Detect this the same way OrderedDict.__eq__ already does (gh-119004):
snapshot od_state before the loop, hold a strong reference to the key and
read the hash before any reentrant call, and raise RuntimeError if the
state changed before advancing to the next node.

* gh-148660: fix NEWS nit, suppress undocumented OrderedDict.copy xref
(cherry picked from commit 7d128e319f3730e776a9161a4b5e9de95c802eaf)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Mon, 29 Jun 2026 02:30:22 +0000 (04:30 +0200)
committer	GitHub <noreply@github.com>
	Mon, 29 Jun 2026 02:30:22 +0000 (02:30 +0000)
commit	6f8628842fcd4c16fc99e347abe8e3dca2645c9d
tree	866dee2a4350ceb19c67cb99f39c77a86b66cc3a	tree \| snapshot
parent	11a2482b8e5c3427f7f405049e6d42ef78739c14	commit \| diff

Lib/test/test_ordered_dict.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-06-17-00-00-00.gh-issue-148660.odcopy.rst	[new file with mode: 0644]	blob
Objects/odictobject.c		diff \| blob \| blame \| history