diff --git a/Misc/NEWS b/Misc/NEWS
index d79ff2450defaa..ceea2226561fd6 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 3.6.1 release candidate 1?
Core and Builtins
-----------------
+- bpo-29438: Fixed use-after-free problem in key sharing dict.
+
- Issue #29319: Prevent RunMainFromImporter overwriting sys.path[0].
- Issue #29337: Fixed possible BytesWarning when compare the code objects.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c
index a7b403bcecc5da..b63b78a337225a 100644
--- a/Objects/dictobject.c
+++ b/Objects/dictobject.c
@@ -4376,15 +4376,19 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
}
if (value == NULL) {
res = PyDict_DelItem(dict, key);
- if (cached != ((PyDictObject *)dict)->ma_keys) {
+ // Since key sharing dict doesn't allow deletion, PyDict_DelItem()
+ // always converts dict to combined form.
+ if ((cached = CACHED_KEYS(tp)) != NULL) {
CACHED_KEYS(tp) = NULL;
DK_DECREF(cached);
}
}
else {
- int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
+ int was_shared = (cached == ((PyDictObject *)dict)->ma_keys);
res = PyDict_SetItem(dict, key, value);
- if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
+ if (was_shared &&
+ (cached = CACHED_KEYS(tp)) != NULL &&
+ cached != ((PyDictObject *)dict)->ma_keys) {
/* PyDict_SetItem() may call dictresize and convert split table
* into combined table. In such case, convert it to split
* table again and update type's shared key only when this is
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy