[3.13] gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303) (#120340)

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Tue, 11 Jun 2024 07:28:45 +0000 (09:28 +0200)

committer GitHub <noreply@github.com>

Tue, 11 Jun 2024 07:28:45 +0000 (07:28 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 11 Jun 2024 07:28:45 +0000 (09:28 +0200)
committer GitHub <noreply@github.com>
Tue, 11 Jun 2024 07:28:45 +0000 (07:28 +0000)
diff --git a/Lib/test/test_list.py b/Lib/test/test_list.py

index 0601b33e79ebb698482aa484b9020a05f6bf72cc..d21429fae09b37adca3466c18d740c5ae441ce1e 100644 (file)
--- a/Lib/test/test_list.py
+++ b/Lib/test/test_list.py
@@ -234,6 +234,17 @@ class ListTest(list_tests.CommonTest):
          list4 = [1]
          self.assertFalse(list3 == list4)
  
+    def test_lt_operator_modifying_operand(self):
+        # See gh-120298
+        class evil:
+            def __lt__(self, other):
+                other.clear()
+                return NotImplemented
+
+        a = [[evil()]]
+        with self.assertRaises(TypeError):
+            a[0] < a
+
      @cpython_only
      def test_preallocation(self):
          iterable = [0] * 10
diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst b/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst

new file mode 100644 (file)

index 0000000..531d395
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst
@@ -0,0 +1,2 @@
+Fix use-after free in ``list_richcompare_impl`` which can be invoked via
+some specificly tailored evil input.
diff --git a/Objects/listobject.c b/Objects/listobject.c

index d09bb6391034d14feefd394212ab10c6ba1e18c6..6829d5d28656cf2e32bbee4082fecf19b458fec3 100644 (file)
--- a/Objects/listobject.c
+++ b/Objects/listobject.c
@@ -3382,7 +3382,14 @@ list_richcompare_impl(PyObject *v, PyObject *w, int op)
      }
  
      /* Compare the final item again using the proper operator */
-    return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    PyObject *vitem = vl->ob_item[i];
+    PyObject *witem = wl->ob_item[i];
+    Py_INCREF(vitem);
+    Py_INCREF(witem);
+    PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    Py_DECREF(vitem);
+    Py_DECREF(witem);
+    return result;
  }
  
  static PyObject *
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Tue, 11 Jun 2024 07:28:45 +0000 (09:28 +0200)
committer	GitHub <noreply@github.com>
	Tue, 11 Jun 2024 07:28:45 +0000 (07:28 +0000)
Lib/test/test_list.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst	[new file with mode: 0644]	patch \| blob
Objects/listobject.c		patch \| blob \| blame \| history