From c68d4f12c4f0159385c964a6209d7d0a2c082909 Mon Sep 17 00:00:00 2001
From: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Date: Wed, 9 Apr 2025 21:44:34 +0800
Subject: [PATCH 1/3] Fix possible use after free in pycfunction freelist

---
 Objects/methodobject.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Objects/methodobject.c b/Objects/methodobject.c
index 1f459dea44192c..f8689128134b31 100644
--- a/Objects/methodobject.c
+++ b/Objects/methodobject.c
@@ -173,12 +173,16 @@ meth_dealloc(PyObject *self)
     if (m->m_weakreflist != NULL) {
         PyObject_ClearWeakRefs((PyObject*) m);
     }
+    // We need to access ml_flags here rather than later.
+    // `m` might have the same lifetime
+    // as `m_self` when it's dynamically allocated.
+    int ml_flags = m->m_ml->ml_flags;
     // Dereference class before m_self: PyCFunction_GET_CLASS accesses
     // PyMethodDef m_ml, which could be kept alive by m_self
     Py_XDECREF(PyCFunction_GET_CLASS(m));
     Py_XDECREF(m->m_self);
     Py_XDECREF(m->m_module);
-    if (m->m_ml->ml_flags & METH_METHOD) {
+    if (ml_flags & METH_METHOD) {
         assert(Py_IS_TYPE(self, &PyCMethod_Type));
         _Py_FREELIST_FREE(pycmethodobject, m, PyObject_GC_Del);
     }

From 4fa1dafb28f9f50650b8ba0c1c394a9538dbf995 Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com>
Date: Wed, 9 Apr 2025 13:47:40 +0000
Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
 =?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst               | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst

diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst
new file mode 100644
index 00000000000000..d0461e17d0fa95
--- /dev/null
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-04-09-13-47-33.gh-issue-126703.kXiQHj.rst
@@ -0,0 +1 @@
+Fix possible use after free in cases where a method's definition has the same lifetime as its ``self``.

From 088d3a4ef47d15bba282c572ebac5f7ff02ad293 Mon Sep 17 00:00:00 2001
From: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Date: Wed, 9 Apr 2025 21:52:57 +0800
Subject: [PATCH 3/3] Address review

---
 Objects/methodobject.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Objects/methodobject.c b/Objects/methodobject.c
index f8689128134b31..189b026ab33559 100644
--- a/Objects/methodobject.c
+++ b/Objects/methodobject.c
@@ -174,7 +174,7 @@ meth_dealloc(PyObject *self)
         PyObject_ClearWeakRefs((PyObject*) m);
     }
     // We need to access ml_flags here rather than later.
-    // `m` might have the same lifetime
+    // `m->m_ml` might have the same lifetime
     // as `m_self` when it's dynamically allocated.
     int ml_flags = m->m_ml->ml_flags;
     // Dereference class before m_self: PyCFunction_GET_CLASS accesses