gh-120298: Fix use-after-free in `list_richcompare_impl` (#120303)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
This commit is contained in:
Nikita Sobolev 2024-06-11 10:04:27 +03:00 committed by GitHub
parent 9e9ee50421
commit 141babad9b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 21 additions and 1 deletions

View File

@ -234,6 +234,17 @@ class ListTest(list_tests.CommonTest):
list4 = [1]
self.assertFalse(list3 == list4)
def test_lt_operator_modifying_operand(self):
# See gh-120298
class evil:
def __lt__(self, other):
other.clear()
return NotImplemented
a = [[evil()]]
with self.assertRaises(TypeError):
a[0] < a
@cpython_only
def test_preallocation(self):
iterable = [0] * 10

View File

@ -0,0 +1,2 @@
Fix use-after free in ``list_richcompare_impl`` which can be invoked via
some specificly tailored evil input.

View File

@ -3382,7 +3382,14 @@ list_richcompare_impl(PyObject *v, PyObject *w, int op)
}
/* Compare the final item again using the proper operator */
return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
PyObject *vitem = vl->ob_item[i];
PyObject *witem = wl->ob_item[i];
Py_INCREF(vitem);
Py_INCREF(witem);
PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
Py_DECREF(vitem);
Py_DECREF(witem);
return result;
}
static PyObject *