From eae29a954e11261313fc4ba1ef05d91faa3bb4a0 Mon Sep 17 00:00:00 2001
From: Thomas Kowalski <thom.kowa@gmail.com>
Date: Tue, 26 May 2026 11:58:19 +0200
Subject: [PATCH] fix: use-after-free in get_data_from_buffer

---
 msgpack/_unpacker.pyx | 4 +---
 msgpack/fallback.py   | 3 ++-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/msgpack/_unpacker.pyx b/msgpack/_unpacker.pyx
index e25986e..da6acbb 100644
--- a/msgpack/_unpacker.pyx
+++ b/msgpack/_unpacker.pyx
@@ -130,9 +130,7 @@ cdef inline int get_data_from_buffer(object obj,
         # create a contiguous copy and get buffer
         contiguous = PyMemoryView_GetContiguous(obj, PyBUF_READ, b'C')
         PyObject_GetBuffer(contiguous, view, PyBUF_SIMPLE)
-        # view must hold the only reference to contiguous,
-        # so memory is freed when view is released
-        Py_DECREF(contiguous)
+
     buffer_len[0] = view.len
     buf[0] = <char*> view.buf
     return 1
diff --git a/msgpack/fallback.py b/msgpack/fallback.py
index 1f2daf7..159dff2 100644
--- a/msgpack/fallback.py
+++ b/msgpack/fallback.py
@@ -328,7 +328,8 @@ class Unpacker:
             self._buf_checkpoint = 0
 
         # Use extend here: INPLACE_ADD += doesn't reliably typecast memoryview in jython
-        self._buffer.extend(view)
+        # tobytes ensures compatibility with non-contiguous memoryviews
+        self._buffer.extend(view.tobytes())
         view.release()
 
     def _consume(self):