pythongh-120298: Fix use-after-free in list_richcompare_impl

Lib/test/test_bisect.py

@@ -291,6 +291,16 @@ def __gt__(self, other):
         self.assertEqual(i1, 40)
         self.assertEqual(i2, 41)
 
+    def test_use_after_free_gh120298(self):
+        class evil(object):
+            def __lt__(self, other):
+                other.clear()
+                return NotImplemented
+
+        a = [[evil()]]
+        with self.assertRaises(TypeError):
+            self.module.insort_left(a, a)
+
 class TestBisectPython(TestBisect, unittest.TestCase):
     module = py_bisect
 

Lib/test/test_deque.py

@@ -782,6 +782,18 @@ def test_runtime_error_on_empty_deque(self):
         d.append(10)
         self.assertRaises(RuntimeError, next, it)
 
+    def test_use_after_free_gh120298(self):
+        class evil(object):
+            def __lt__(self, other):
+                other.pop()
+                return NotImplemented
+
+        a = [[[evil()]]]
+        b = deque(a[0])
+        c = deque(a)
+        with self.assertRaises(TypeError):
+            b < c
+
 class Deque(deque):
     pass
 

Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst

@@ -0,0 +1,2 @@
+Fix use-after free in ``list_richcompare_impl`` which can be invoked via
+some specificly tailored evil input.

Objects/listobject.c

@@ -3382,7 +3382,14 @@ list_richcompare_impl(PyObject *v, PyObject *w, int op)
     }
 
     /* Compare the final item again using the proper operator */
-    return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    PyObject *vitem = vl->ob_item[i];
+    PyObject *witem = wl->ob_item[i];
+    Py_INCREF(vitem);
+    Py_INCREF(witem);
+    PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    Py_DECREF(vitem);
+    Py_DECREF(witem);
+    return result;
 }
 
 static PyObject *