(cherry picked from commit 9fceb1c0c5)
(cherry picked from commit d3e2a133d2)
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
gh-142831: Fix use-after-free in json encoder during re-entrant mutation (gh-142851)
User callbacks invoked during JSON encoding (e.g. the `default` callback or
a custom string encoder) can mutate or clear the dict or sequence being
encoded, invalidating borrowed references to items, keys, and values. Hold
strong references unconditionally while iterating.
(cherry picked from commit 235fa7244a)
Co-authored-by: Kumar Aditya <kumaraditya@python.org>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
`faulthandler_traverse` visits Python objects owned by `_PyRuntime`, not
by the module instance. With multi-phase init allowing multiple module
instances, each instance's GC traversal decrements `gc_refs` on the same
runtime-owned objects, driving it negative when two instances are
collected simultaneously.
(cherry picked from commit 56737483c2)
[3.14] gh-146452: Improve locking granularity in pickle's batch_dict_exact and fix race condition (GH-150025)
Remove assertion that could fail in rare race condition.
Replace the coarse critical section wrapping the entire function with
fine-grained sections covering only PyDict_Next + Py_INCREF.
Also handle PyDict_Next returning 0 in the single-item fast path.
(cherry picked from commit 57a0e570d3)
gh-149921: Fix reference leaks in _interpchannels and _interpqueues modules (GH-149922)
(cherry picked from commit acefff95ea)
Co-authored-by: AN Long <aisk@users.noreply.github.com>
gh-146452: Fix pickle segfault on concurrent mutation of dict in pickle (GH-146470)
(cherry picked from commit e62a61177f)
Co-authored-by: Farhan Saif <fsaif@uic.edu>
Co-authored-by: Kumar Aditya <kumaraditya@python.org>
gh-149707: Fix compiler warning in _ctypes_test on strchr() (#149791)
Change my_strchr() return type to "const char*" (add "const").
Fix the compiler warning:
Modules/_ctypes/_ctypes_test.c: In function 'my_strchr':
Modules/_ctypes/_ctypes_test.c:451:12: warning: return discards
'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
451 | return strchr(s, c);
| ^~~~~~
When using C23, strchr(text, ch) return type is "const char*" if text
type is "const char*".
(cherry picked from commit 5465b69255)
In free-threaded builds, concurrent calls to PyDict_AddWatcher, PyDict_ClearWatcher, PyDict_Watch, and PyDict_Unwatch can race on the shared callback array and the per-dict watcher tags. This change adds a mutex to serialize watcher registration and removal, atomic operations for tag updates, and atomic acquire/release synchronization for callback dispatch in _PyDict_SendEvent.
(cherry picked from commit 8a4895985f)
Co-authored-by: Alper <alperyoney@fb.com>
Treat the debug offset tables read from a target process as untrusted input
and validate them before the unwinder uses any reported sizes or offsets.
Add a shared validator in debug_offsets_validation.h and run it once when
_Py_DebugOffsets is loaded and once when AsyncioDebug is loaded. The checks
cover section sizes used for fixed local buffers and every offset that is
later dereferenced against a local buffer or local object view. This keeps
the bounds checks out of the sampling hot path while rejecting malformed
tables up front.
(cherry picked from commit 289fd2c97a)
Instead of reading past the end of the empty buffer.
(cherry picked from commit 0c6d2f64c0)
Co-authored-by: Maurycy Pawłowski-Wieroński <maurycy@maurycy.com>
* Document that 's' and 'p' accept bytes and bytearray.
* Fix some footnotes.
* Clarify that "string" is a byte string.
* Fix the module docstring.
(cherry picked from commit 3e5a3cb2bd)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Neil Schemenauer <nas@arctrix.com>
Co-authored-by: Sergey Miryanov <sergey.miryanov@gmail.com>
Co-authored-by: Zanie Blue <contact@zanie.dev>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Co-authored-by: Neil Schemenauer <nas-github@arctrix.com>
gh-148973: fix segfault on mismatch between consts size and oparg in compiler (GH-148974)
(cherry picked from commit c650b51c32)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
gh-146578: _zstd: Fix printf format for pledged size errors (GH-146576)
Use %llu instead of %ull for unsigned long long in zstd_contentsize_converter ValueError messages.
(cherry picked from commit 09233bd198)
Co-authored-by: cui <cuiweixie@gmail.com>
gh-148651: Fix refcount leak in _zstd decompressor options (GH-148657)
The option parsing in Modules/_zstd/decompressor.c had a missing Py_DECREF(value) before the early return -1 when PyLong_AsInt(key) fails. The identical code in Modules/_zstd/compressor.c line 158 has the fix.
(cherry picked from commit 446edda209)
Co-authored-by: Michael Bommarito <michael.bommarito@gmail.com>
gh-148395: Fix a possible UAF in `{LZMA,BZ2,_Zlib}Decompressor` (GH-148396)
Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress
(cherry picked from commit 8fc66aef6d)
Co-authored-by: Stan Ulbrych <stan@python.org>
gh-145105: Fix crash in csv.reader with re-entrant iterator (GH-145106)
When a custom iterator calls next() on the same csv.reader from
within __next__, the inner iteration sets self->fields to NULL.
The outer iteration then crashes in parse_save_field() by passing
NULL to PyList_Append.
Add a guard after PyIter_Next() to detect that fields was set to
NULL by a re-entrant call, and raise csv.Error instead of crashing.
(cherry picked from commit 20994b1809)
Co-authored-by: Ramin Farajpour Cami <ramin.blackhat@gmail.com>
gh-148274: properly handle result from `PyObject_VisitManagedDict` (GH-148275)
(cherry picked from commit ee2775cfae)
Co-authored-by: Max Bachmann <kontakt@maxbachmann.de>
gh-143050: Correct PyLong_FromString() to use _PyLong_Negate() (GH-145901)
The long_from_string_base() might return a small integer, when the
_pylong.py is used to do conversion. Hence, we must be careful here to
not smash it "small int" bit by using the _PyLong_FlipSign().
(cherry picked from commit db5936c5b8)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
Co-authored-by: Victor Stinner <vstinner@python.org>
The TypeError in _zstd_set_d_parameters incorrectly referred to
compression options; say decompression options instead.
(cherry picked from commit 4d0e8ee649)
Co-authored-by: cui <cuiweixie@gmail.com>
