Commit 8da22af
committed
gh-151416: Fix use-after-free in os.spawnv/spawnve when __fspath__ mutates argv
The argv conversion loops passed references borrowed from the argv list
into fsconvert_strdup(). An item's __fspath__() can mutate the list and
release its reference to the item, leaving the converter operating on a
freed object. A shrunk list could also make PyList_GetItem() return
NULL, which PyUnicode_FS{Converter,Decoder}() treat as a request to
release an uninitialized output variable.
Hold a strong reference to each item across the conversion, matching
parse_arglist() and parse_envlist().1 parent d986124 commit 8da22af
2 files changed
Lines changed: 27 additions & 11 deletions
File tree
- Misc/NEWS.d/next/Library
- Modules
Lines changed: 3 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8192 | 8192 | | |
8193 | 8193 | | |
8194 | 8194 | | |
8195 | | - | |
8196 | 8195 | | |
8197 | 8196 | | |
8198 | 8197 | | |
8199 | 8198 | | |
8200 | 8199 | | |
8201 | 8200 | | |
8202 | | - | |
8203 | 8201 | | |
8204 | 8202 | | |
8205 | 8203 | | |
8206 | | - | |
8207 | 8204 | | |
8208 | 8205 | | |
8209 | 8206 | | |
| |||
8221 | 8218 | | |
8222 | 8219 | | |
8223 | 8220 | | |
8224 | | - | |
8225 | | - | |
| 8221 | + | |
| 8222 | + | |
| 8223 | + | |
| 8224 | + | |
| 8225 | + | |
| 8226 | + | |
| 8227 | + | |
| 8228 | + | |
| 8229 | + | |
| 8230 | + | |
| 8231 | + | |
8226 | 8232 | | |
8227 | 8233 | | |
8228 | 8234 | | |
8229 | 8235 | | |
8230 | 8236 | | |
8231 | 8237 | | |
| 8238 | + | |
8232 | 8239 | | |
8233 | 8240 | | |
8234 | 8241 | | |
| |||
8299 | 8306 | | |
8300 | 8307 | | |
8301 | 8308 | | |
8302 | | - | |
8303 | 8309 | | |
8304 | 8310 | | |
8305 | 8311 | | |
| |||
8308 | 8314 | | |
8309 | 8315 | | |
8310 | 8316 | | |
8311 | | - | |
8312 | 8317 | | |
8313 | 8318 | | |
8314 | 8319 | | |
8315 | | - | |
8316 | 8320 | | |
8317 | 8321 | | |
8318 | 8322 | | |
| |||
8336 | 8340 | | |
8337 | 8341 | | |
8338 | 8342 | | |
8339 | | - | |
8340 | | - | |
8341 | | - | |
| 8343 | + | |
| 8344 | + | |
| 8345 | + | |
| 8346 | + | |
| 8347 | + | |
| 8348 | + | |
8342 | 8349 | | |
8343 | 8350 | | |
8344 | 8351 | | |
| 8352 | + | |
| 8353 | + | |
| 8354 | + | |
| 8355 | + | |
| 8356 | + | |
| 8357 | + | |
8345 | 8358 | | |
8346 | 8359 | | |
8347 | 8360 | | |
| |||
0 commit comments