gh-126703: Fix possible use after free in pycfunction freelist (GH-132319)

2025-07-07 19:35:27 +00:00 · 2025-04-09 22:49:33 +08:00 · 2025-04-09 22:49:33 +08:00 · bd3aa0b9f7
commit bd3aa0b9f7
parent 3feac7a093
2 changed files with 6 additions and 1 deletions
--- a/Misc/NEWS.d/next/Core_and_Builtins/2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst
@ -0,0 +1 @@
+Fix possible use after free in cases where a method's definition has the same lifetime as its ``self``.
--- a/Objects/methodobject.c
+++ b/Objects/methodobject.c
@ -173,12 +173,16 @@ meth_dealloc(PyObject *self)
    if (m->m_weakreflist != NULL) {
        PyObject_ClearWeakRefs((PyObject*) m);
    }
+    // We need to access ml_flags here rather than later.
+    // `m->m_ml` might have the same lifetime
+    // as `m_self` when it's dynamically allocated.
+    int ml_flags = m->m_ml->ml_flags;
    // Dereference class before m_self: PyCFunction_GET_CLASS accesses
    // PyMethodDef m_ml, which could be kept alive by m_self
    Py_XDECREF(PyCFunction_GET_CLASS(m));
    Py_XDECREF(m->m_self);
    Py_XDECREF(m->m_module);
-    if (m->m_ml->ml_flags & METH_METHOD) {
+    if (ml_flags & METH_METHOD) {
        assert(Py_IS_TYPE(self, &PyCMethod_Type));
        _Py_FREELIST_FREE(pycmethodobject, m, PyObject_GC_Del);
    }
				`@ -0,0 +1 @@`
				Fix possible use after free in cases where a method's definition has the same lifetime as its ``self``.