diff --git a/Misc/NEWS b/Misc/NEWS
index 5feaac7c387191..1462185c7a0106 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 3.7.0 alpha 1?
Core and Builtins
-----------------
+- bpo-29438: Fixed use-after-free problem in key sharing dict.
+
- Issue #29319: Prevent RunMainFromImporter overwriting sys.path[0].
- Issue #29337: Fixed possible BytesWarning when compare the code objects.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c
index 43584b7bb2444b..5fe5272b1a3fd6 100644
--- a/Objects/dictobject.c
+++ b/Objects/dictobject.c
@@ -4352,15 +4352,19 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
}
if (value == NULL) {
res = PyDict_DelItem(dict, key);
- if (cached != ((PyDictObject *)dict)->ma_keys) {
+ // Since key sharing dict doesn't allow deletion, PyDict_DelItem()
+ // always converts dict to combined form.
+ if ((cached = CACHED_KEYS(tp)) != NULL) {
CACHED_KEYS(tp) = NULL;
DK_DECREF(cached);
}
}
else {
- int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
+ int was_shared = (cached == ((PyDictObject *)dict)->ma_keys);
res = PyDict_SetItem(dict, key, value);
- if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
+ if (was_shared &&
+ (cached = CACHED_KEYS(tp)) != NULL &&
+ cached != ((PyDictObject *)dict)->ma_keys) {
/* PyDict_SetItem() may call dictresize and convert split table
* into combined table. In such case, convert it to split
* table again and update type's shared key only when this is
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy