Backport pythongh-120298 list_richcompare use after free

This backports the fix to python#120298. commit id b884536
gpshead · Jul 3, 2024 · 391eb41 · 391eb41
1 parent 6d1ab20
commit 391eb41
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst b/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst
@@ -0,0 +1,2 @@
+Fix use-after free in ``list_richcompare_impl`` which can be invoked via
+some specificly tailored evil input.
diff --git a/Objects/listobject.c b/Objects/listobject.c
@@ -2757,7 +2757,14 @@ list_richcompare(PyObject *v, PyObject *w, int op)
     }
 
     /* Compare the final item again using the proper operator */
-    return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    PyObject *vitem = vl->ob_item[i];
+    PyObject *witem = wl->ob_item[i];
+    Py_INCREF(vitem);
+    Py_INCREF(witem);
+    PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    Py_DECREF(vitem);
+    Py_DECREF(witem);
+    return result;
 }
 
 /*[clinic input]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Fix use-after free in ``list_richcompare_impl`` which can be invoked via
		some specificly tailored evil input.