Backport gh-120298 list_richcompare use after free

gpshead · gpshead · commit 391eb4176eca · 2024-07-03T11:26:42.000-07:00
This backports the fix to #120298. commit id b884536
diff --git a/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst b/Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst
@@ -0,0 +1,2 @@
+Fix use-after free in ``list_richcompare_impl`` which can be invoked via
+some specificly tailored evil input.
diff --git a/Objects/listobject.c b/Objects/listobject.c
@@ -2757,7 +2757,14 @@ list_richcompare(PyObject *v, PyObject *w, int op)
     }
 
     /* Compare the final item again using the proper operator */
-    return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    PyObject *vitem = vl->ob_item[i];
+    PyObject *witem = wl->ob_item[i];
+    Py_INCREF(vitem);
+    Py_INCREF(witem);
+    PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    Py_DECREF(vitem);
+    Py_DECREF(witem);
+    return result;
 }
 
 /*[clinic input]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Fix use-after free in ``list_richcompare_impl`` which can be invoked via
	`2`	`+some specificly tailored evil input.`
Original file line number	Diff line number	Diff line change
`@@ -2757,7 +2757,14 @@ list_richcompare(PyObject v, PyObject w, int op)`
`2757`	`2757`	`}`
`2758`	`2758`
`2759`	`2759`	`/* Compare the final item again using the proper operator */`
`2760`		`- return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);`
	`2760`	`+ PyObject *vitem = vl->ob_item[i];`
	`2761`	`+ PyObject *witem = wl->ob_item[i];`
	`2762`	`+ Py_INCREF(vitem);`
	`2763`	`+ Py_INCREF(witem);`
	`2764`	`+ PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);`
	`2765`	`+ Py_DECREF(vitem);`
	`2766`	`+ Py_DECREF(witem);`
	`2767`	`+ return result;`
`2761`	`2768`	`}`
`2762`	`2769`
`2763`	`2770`	`/*[clinic input]`