[3.13] gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417) (GH-152536) (#152539)
[3.14] gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417) (GH-152536)
gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417)
* gh-151416: Fix use-after-free in os.spawnv/spawnve when __fspath__ mutates argv
The argv conversion loops passed references borrowed from the argv list
into fsconvert_strdup(). An item's __fspath__() can mutate the list and
release its reference to the item, leaving the converter operating on a
freed object. A shrunk list could also make PyList_GetItem() return
NULL, which PyUnicode_FS{Converter,Decoder}() treat as a request to
release an uninitialized output variable.
Hold a strong reference to each item across the conversion, matching
parse_arglist() and parse_envlist().
* gh-151416: Don't mask non-TypeError argv conversion errors in os.spawnv
os.spawnv() replaced any error raised during argv item conversion,
such as MemoryError, codec errors, or the embedded-null ValueError,
with a generic TypeError. Only add the contextual message when the
conversion actually raised TypeError, matching how os.spawnve() and
the exec functions propagate these errors.
The test is gated to the native C spawnv: the Python fallback used
elsewhere reports conversion failures from the forked child as exit
status 127 instead of raising.
(cherry picked from commit
11a2482b8e5c3427f7f405049e6d42ef78739c14)
(cherry picked from commit
f57d3d6db39ea0bd39743f1a614b46cbefbfdab6)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
projects / thirdparty / Python / cpython.git / commit
