commit 0c1827e70c1c05ce1982a34380cea7d391904293
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Sat Feb 22 05:34:06 2020 -0800
committer GitHub <noreply@github.com> Sat Feb 22 05:34:06 2020 -0800
tree e253ef69b53e82c3838142390fcaf054dff0fc8e
parent d6965ff026f35498e554bc964ef2be8f4d80eb7f

bpo-39382: Avoid dangling object use in abstract_issubclass() (GH-18530)


Hold reference of __bases__ tuple until tuple item is done with, because by
dropping the reference the item may be destroyed.
(cherry picked from commit 1c56f8ffad44478b4214a2bf8eb7cf51c28a347a)

Co-authored-by: Yonatan Goldschmidt <yon.goldschmidt@gmail.com>

Objects/abstract.c

diff --git a/Objects/abstract.c b/Objects/abstract.c
index 77d0914..bc1ebd9 100644
--- a/Objects/abstract.c
+++ b/Objects/abstract.c
@@ -2336,9 +2336,16 @@
     int r = 0;
 
     while (1) {
-        if (derived == cls)
+        if (derived == cls) {
+            Py_XDECREF(bases); /* See below comment */
             return 1;
-        bases = abstract_get_bases(derived);
+        }
+        /* Use XSETREF to drop bases reference *after* finishing with
+           derived; bases might be the only reference to it.
+           XSETREF is used instead of SETREF, because bases is NULL on the
+           first iteration of the loop.
+        */
+        Py_XSETREF(bases, abstract_get_bases(derived));
         if (bases == NULL) {
             if (PyErr_Occurred())
                 return -1;
@@ -2352,7 +2359,6 @@
         /* Avoid recursivity in the single inheritance case */
         if (n == 1) {
             derived = PyTuple_GET_ITEM(bases, 0);
-            Py_DECREF(bases);
             continue;
         }
         for (i = 0; i < n; i++) {