This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author bstaletic
Recipients YannickJadoul, bstaletic
Date 2021-01-19.13:27:19
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1611062839.74.0.228919176992.issue42961@roundup.psfhosted.org>
In-reply-to
Content 
Oops... I uploaded (and pasted) the wrong file. The /correct/ example can be found here:

https://github.com/pybind/pybind11/pull/2797/#pullrequestreview-570541151

However, I have just realized that the example doesn't really need the embedded module. The following also shows the use-after-free:


#include <Python.h>

static void pybind11_object_dealloc(PyObject *self) {
	auto type = Py_TYPE(self);
	type->tp_free(self);
	Py_DECREF(type);
}
static PyType_Slot base_slots[] = {{Py_tp_dealloc, (void*)pybind11_object_dealloc}, {0, nullptr}};
static PyType_Spec base_spec{"B", sizeof(PyObject), 0, Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HEAPTYPE, base_slots};
int main() {
	Py_InitializeEx(1);
	auto base_type = PyType_FromSpec(&base_spec);
	auto globals = PyDict_New();
	PyDict_SetItemString(globals, "B", base_type);
	auto derived_t = PyRun_String("def f():\n"
                                      "  class C:\n"
                                      "    class D(B):pass\n"
                                      "    b=D()\n"
                                      "f()", Py_file_input, globals, nullptr);
	Py_DECREF(globals);
	Py_DECREF(derived_t);
	Py_Finalize();
}
History
Date User Action Args
2021-01-19 13:27:19bstaleticsetrecipients: + bstaletic, YannickJadoul
2021-01-19 13:27:19bstaleticsetmessageid: <1611062839.74.0.228919176992.issue42961@roundup.psfhosted.org>
2021-01-19 13:27:19bstaleticlinkissue42961 messages
2021-01-19 13:27:19bstaleticcreate