fix use after free (closes #24552)

Lib/test/pickletester.py

@@ -1039,6 +1039,18 @@ class AbstractPickleTests(unittest.TestCase):
                 self.assertEqual(B(x), B(y), detail)
                 self.assertEqual(x.__dict__, y.__dict__, detail)
 
+    def test_newobj_not_class(self):
+        # Issue 24552
+        global SimpleNewObj
+        save = SimpleNewObj
+        o = object.__new__(SimpleNewObj)
+        b = self.dumps(o, 4)
+        try:
+            SimpleNewObj = 42
+            self.assertRaises((TypeError, pickle.UnpicklingError), self.loads, b)
+        finally:
+            SimpleNewObj = save
+
     # Register a type with copyreg, with extension code extcode.  Pickle
     # an object of that type.  Check that the resulting pickle uses opcode
     # (EXT[124]) under proto 2, and not in proto 1.

Misc/NEWS

@@ -64,6 +64,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #24552: Fix use after free in an error case of the _pickle module.
+
 - Issue #24514: tarfile now tolerates number fields consisting of only
   whitespace.
 

Modules/_pickle.c

@@ -5210,10 +5210,10 @@ load_newobj_ex(UnpicklerObject *self)
     if (!PyType_Check(cls)) {
         Py_DECREF(kwargs);
         Py_DECREF(args);
-        Py_DECREF(cls);
         PyErr_Format(st->UnpicklingError,
                      "NEWOBJ_EX class argument must be a type, not %.200s",
                      Py_TYPE(cls)->tp_name);
+        Py_DECREF(cls);
         return -1;
     }