bpo-44184: Apply pythonGH-26274 to the non-GC-type branch of subtype_…

…dealloc (pythonGH-27165) The non-GC-type branch of subtype_dealloc is using the type of an object after freeing in the same unsafe way as pythonGH-26274 fixes. (I believe the old news entry covers this change well enough.) https://bugs.python.org/issue44184
rhettinger · Jul 15, 2021 · 074e765 · 074e765
1 parent 82b218f
commit 074e765
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
@@ -1368,14 +1368,22 @@ subtype_dealloc(PyObject *self)
         /* Extract the type again; tp_del may have changed it */
         type = Py_TYPE(self);
 
+        // Don't read type memory after calling basedealloc() since basedealloc()
+        // can deallocate the type and free its memory.
+        int type_needs_decref = (type->tp_flags & Py_TPFLAGS_HEAPTYPE
+                                 && !(base->tp_flags & Py_TPFLAGS_HEAPTYPE));
+
         /* Call the base tp_dealloc() */
         assert(basedealloc);
         basedealloc(self);
 
-       /* Only decref if the base type is not already a heap allocated type.
-          Otherwise, basedealloc should have decref'd it already */
-        if (type->tp_flags & Py_TPFLAGS_HEAPTYPE && !(base->tp_flags & Py_TPFLAGS_HEAPTYPE))
+        /* Can't reference self beyond this point. It's possible tp_del switched
+           our type from a HEAPTYPE to a non-HEAPTYPE, so be careful about
+           reference counting. Only decref if the base type is not already a heap
+           allocated type. Otherwise, basedealloc should have decref'd it already */
+        if (type_needs_decref) {
             Py_DECREF(type);
+        }
 
         /* Done */
         return;