fix: use-after-free in get_data_from_buffer

2026-06-19 06:02:09 +00:00 · 2026-05-26 11:58:19 +02:00 · 2026-05-26 11:58:19 +02:00 · eae29a954e
commit eae29a954e
parent 9086469e18
2 changed files with 3 additions and 4 deletions
--- a/msgpack/_unpacker.pyx
+++ b/msgpack/_unpacker.pyx
@ -130,9 +130,7 @@ cdef inline int get_data_from_buffer(object obj,
        # create a contiguous copy and get buffer
        contiguous = PyMemoryView_GetContiguous(obj, PyBUF_READ, b'C')
        PyObject_GetBuffer(contiguous, view, PyBUF_SIMPLE)
-        # view must hold the only reference to contiguous,
-        # so memory is freed when view is released
-        Py_DECREF(contiguous)
+
    buffer_len[0] = view.len
    buf[0] = <char*> view.buf
    return 1
--- a/msgpack/fallback.py
+++ b/msgpack/fallback.py
@ -328,7 +328,8 @@ class Unpacker:
            self._buf_checkpoint = 0

        # Use extend here: INPLACE_ADD += doesn't reliably typecast memoryview in jython
-        self._buffer.extend(view)
+        # tobytes ensures compatibility with non-contiguous memoryviews
+        self._buffer.extend(view.tobytes())
        view.release()

    def _consume(self):