diff options
| author | mpage <mpage@meta.com> | 2025-03-05 10:42:09 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-03-05 10:42:09 -0800 |
| commit | d7bb7c781771650a4edcdee9dfd1ab9c4083e9fd (patch) | |
| tree | 0d034ceff4e04d2eff9cfadc40e0da39768aaab5 /Python/executor_cases.c.h | |
| parent | 2904ec2273762df58645a8e245b2281884855b8c (diff) | |
| download | cpython-d7bb7c781771650a4edcdee9dfd1ab9c4083e9fd.tar.gz cpython-d7bb7c781771650a4edcdee9dfd1ab9c4083e9fd.zip | |
gh-118331: Fix a couple of issues when list allocation fails (#130811)
* Fix use after free in list objects
Set the items pointer in the list object to NULL after the items array
is freed during list deallocation. Otherwise, we can end up with a list
object added to the free list that contains a pointer to an already-freed
items array.
* Mark `_PyList_FromStackRefStealOnSuccess` as escaping
I think technically it's not escaping, because the only object that
can be decrefed if allocation fails is an exact list, which cannot
execute arbitrary code when it is destroyed. However, this seems less
intrusive than trying to special cases objects in the assert in `_Py_Dealloc`
that checks for non-null stackpointers and shouldn't matter for performance.
Diffstat (limited to 'Python/executor_cases.c.h')
| -rw-r--r-- | Python/executor_cases.c.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/Python/executor_cases.c.h b/Python/executor_cases.c.h index e164f11620d..29160b9f663 100644 --- a/Python/executor_cases.c.h +++ b/Python/executor_cases.c.h @@ -2545,7 +2545,9 @@ _PyStackRef list; oparg = CURRENT_OPARG(); values = &stack_pointer[-oparg]; + _PyFrame_SetStackPointer(frame, stack_pointer); PyObject *list_o = _PyList_FromStackRefStealOnSuccess(values, oparg); + stack_pointer = _PyFrame_GetStackPointer(frame); if (list_o == NULL) { JUMP_TO_ERROR(); } |