#11249: in PyType_FromSpec, copy tp_doc slot since it usually will point to a static string literal which should not be deallocated together with the type.
diff --git a/Misc/NEWS b/Misc/NEWS
index 093a126..ff6fd23 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@
Core and Builtins
-----------------
+- Issue #11249: Fix potential crashes when using the limited API.
+
Library
-------
diff --git a/Objects/typeobject.c b/Objects/typeobject.c
index e9c7591..b1fe44e 100644
--- a/Objects/typeobject.c
+++ b/Objects/typeobject.c
@@ -2347,6 +2347,17 @@
goto fail;
}
*(void**)(res_start + slotoffsets[slot->slot]) = slot->pfunc;
+
+ /* need to make a copy of the docstring slot, which usually
+ points to a static string literal */
+ if (slot->slot == Py_tp_doc) {
+ ssize_t len = strlen(slot->pfunc)+1;
+ char *tp_doc = PyObject_MALLOC(len);
+ if (tp_doc == NULL)
+ goto fail;
+ memcpy(tp_doc, slot->pfunc, len);
+ res->ht_type.tp_doc = tp_doc;
+ }
}
return (PyObject*)res;