Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-02-27 17:41:12 +00:00
Code Issues Projects Releases Packages Wiki Activity

gh-143403: Fix a UAF in _BINARY_OP_INPLACE_ADD_UNICODE (GH-143404)

Browse source 
Fix a UAF in `_BINARY_OP_INPLACE_ADD_UNICODE`
This commit is contained in:
Ken Jin 2026-01-04 21:10:39 +08:00 committed by GitHub
parent 9609574e7f
commit 6116d70bbd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 21 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

13
Python/bytecodes.c
View file

@ -802,15 +802,18 @@ dummy_func(
*/
assert(Py_REFCNT(left_o) >= 2 || !PyStackRef_IsHeapSafe(left));
PyObject *temp = PyStackRef_AsPyObjectSteal(*target_local);
PyObject *right_o = PyStackRef_AsPyObjectBorrow(right);
PyUnicode_Append(&temp, right_o);
PyStackRef_CLOSE_SPECIALIZED(right, _PyUnicode_ExactDealloc);
DEAD(right);
PyObject *right_o = PyStackRef_AsPyObjectSteal(right);
/* gh-143403: It's critical to close this reference *before*
* we append. Otherwise, append can move the underlying
* unicode object, which will cause a use after free!
*/
PyStackRef_CLOSE_SPECIALIZED(left, _PyUnicode_ExactDealloc);
DEAD(left);
PyUnicode_Append(&temp, right_o);
_Py_DECREF_SPECIALIZED(right_o, _PyUnicode_ExactDealloc);
*target_local = PyStackRef_NULL;
ERROR_IF(temp == NULL);
res = PyStackRef_FromPyObjectSteal(temp);
*target_local = PyStackRef_NULL;
}
op(_GUARD_BINARY_OP_EXTEND, (descr/4, left, right -- left, right)) {