mirror of
https://github.com/python/cpython.git
synced 2026-06-29 22:26:44 -04:00
Miss Islington (bot)
9a45ab1d65
gh-151416: fix a borrowed ref potential use after free via fspath in os.spawnv/spawnve (GH-151417)
* gh-151416: Fix use-after-free in os.spawnv/spawnve when __fspath__ mutates argv
The argv conversion loops passed references borrowed from the argv list
into fsconvert_strdup(). An item's __fspath__() can mutate the list and
release its reference to the item, leaving the converter operating on a
freed object. A shrunk list could also make PyList_GetItem() return
NULL, which PyUnicode_FS{Converter,Decoder}() treat as a request to
release an uninitialized output variable.
Hold a strong reference to each item across the conversion, matching
parse_arglist() and parse_envlist().
* gh-151416: Don't mask non-TypeError argv conversion errors in os.spawnv
os.spawnv() replaced any error raised during argv item conversion,
such as MemoryError, codec errors, or the embedded-null ValueError,
with a generic TypeError. Only add the contextual message when the
conversion actually raised TypeError, matching how os.spawnve() and
the exec functions propagate these errors.
The test is gated to the native C spawnv: the Python fallback used
elsewhere reports conversion failures from the forked child as exit
status 127 instead of raising.
(cherry picked from commit f57d3d6db3)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>