diff --git a/Misc/NEWS b/Misc/NEWS index 6c016f34b02..0946553db70 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -42,6 +42,8 @@ Library - In the curses module, raise an error if window.getstr() or window.instr() is passed a negative value. +- Issue #27783: Fix possible usage of uninitialized memory in operator.methodcaller. + - Issue #27774: Fix possible Py_DECREF on unowned object in _sre. - Issue #27760: Fix possible integer overflow in binascii.b2a_qp. diff --git a/Modules/_operator.c b/Modules/_operator.c index eb4f3a34edb..dfff1d2faa1 100644 --- a/Modules/_operator.c +++ b/Modules/_operator.c @@ -931,7 +931,7 @@ static PyObject * methodcaller_new(PyTypeObject *type, PyObject *args, PyObject *kwds) { methodcallerobject *mc; - PyObject *name, *newargs; + PyObject *name; if (PyTuple_GET_SIZE(args) < 1) { PyErr_SetString(PyExc_TypeError, "methodcaller needs at least " @@ -951,13 +951,7 @@ methodcaller_new(PyTypeObject *type, PyObject *args, PyObject *kwds) if (mc == NULL) return NULL; - newargs = PyTuple_GetSlice(args, 1, PyTuple_GET_SIZE(args)); - if (newargs == NULL) { - Py_DECREF(mc); - return NULL; - } - mc->args = newargs; - + name = PyTuple_GET_ITEM(args, 0); Py_INCREF(name); PyUnicode_InternInPlace(&name); mc->name = name; @@ -965,6 +959,12 @@ methodcaller_new(PyTypeObject *type, PyObject *args, PyObject *kwds) Py_XINCREF(kwds); mc->kwds = kwds; + mc->args = PyTuple_GetSlice(args, 1, PyTuple_GET_SIZE(args)); + if (mc->args == NULL) { + Py_DECREF(mc); + return NULL; + } + PyObject_GC_Track(mc); return (PyObject *)mc; }