git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Gregory P. Smith <68491+gpshead@users.noreply.github.com>
	Mon, 29 Jun 2026 02:04:10 +0000 (19:04 -0700)
committer	GitHub <noreply@github.com>
	Mon, 29 Jun 2026 02:04:10 +0000 (19:04 -0700)
commit	7d128e319f3730e776a9161a4b5e9de95c802eaf
tree	9e28e59e541cb1b514073e71db2e5b66bb7e6ca9	tree \| snapshot
parent	f57d3d6db39ea0bd39743f1a614b46cbefbfdab6	commit \| diff

gh-148660: Fix use-after-free in OrderedDict.copy() on reentrant mutation (GH-151573)

* gh-148660: Fix use-after-free in OrderedDict.copy() on reentrant mutation

OrderedDict.copy() walks the internal linked list while building the new
dict. The loop body can run arbitrary Python (a key's __eq__/__hash__, or
a subclass __getitem__/__setitem__) which can clear the source dict and
free the nodes being iterated.

Detect this the same way OrderedDict.__eq__ already does (gh-119004):
snapshot od_state before the loop, hold a strong reference to the key and
read the hash before any reentrant call, and raise RuntimeError if the
state changed before advancing to the next node.

* gh-148660: fix NEWS nit, suppress undocumented OrderedDict.copy xref

Lib/test/test_ordered_dict.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Library/2026-06-17-00-00-00.gh-issue-148660.odcopy.rst	[new file with mode: 0644]	blob
Objects/odictobject.c		diff \| blob \| blame \| history