Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-06-28 11:50:50 +00:00
Code Issues Projects Releases Packages Wiki Activity

[3.13] gh-151295: Fix use-after-free in bytes.join()/bytearray.join() via re-entrant __buffer__ (GH-151296) (GH-151306)

Browse source 
(cherry picked from commit 84a322aa15)

Co-authored-by: tonghuaroot (童话) <tonghuaroot@gmail.com>
This commit is contained in:
Miss Islington (bot) 2026-06-11 10:30:49 +02:00 committed by GitHub
parent d5468ba70b
commit 5c17ae6c1c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 35 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Objects/stringlib/join.h
View file

@ -68,13 +68,18 @@ STRINGLIB(bytes_join)(PyObject *sep, PyObject *iterable)
buffers[i].len = PyBytes_GET_SIZE(item);
}
else {
/* item is only borrowed; its __buffer__() may run Python that
drops the sequence's last reference to it. */
Py_INCREF(item);
if (PyObject_GetBuffer(item, &buffers[i], PyBUF_SIMPLE) != 0) {
Py_DECREF(item);
PyErr_Format(PyExc_TypeError,
"sequence item %zd: expected a bytes-like object, "
"%.80s found",
i, Py_TYPE(item)->tp_name);
goto error;
}
Py_DECREF(item);
/* If the backing objects are mutable, then dropping the GIL
* opens up race conditions where another thread tries to modify
* the object which we hold a buffer on it. Such code has data