From 3f38914706d93c68c74c9527b129a66cee7d56a9 Mon Sep 17 00:00:00 2001 From: priyanshu2282-cyber Date: Thu, 22 Jan 2026 15:01:35 +0530 Subject: [PATCH 01/10] Fix crash in array.fromlist with reentrant __index__ --- Lib/test/test_array.py | 19 +++++++++++++++++++ Modules/arraymodule.c | 9 +++++++++ 2 files changed, 28 insertions(+) diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py index 83b3c978da3581..d166c315bc7103 100755 --- a/Lib/test/test_array.py +++ b/Lib/test/test_array.py @@ -67,6 +67,25 @@ def test_empty(self): a += a self.assertEqual(len(a), 0) + def test_fromlist_reentrant_index_mutation(self): + + class Evil: + def __init__(self, lst): + self.lst = lst + def __index__(self): + self.lst.clear() + return "not an int" + + for typecode in ('I', 'L', 'Q'): + lst = [] + e = Evil(lst) + lst.append(e) + del e + a = array.array(typecode) + with self.assertRaises(TypeError): + a.fromlist(lst) + + # Machine format codes. # diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 729e085c19f006..193b3e7b0ba635 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -408,7 +408,10 @@ II_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) int do_decref = 0; /* if nb_int was called */ if (!PyLong_Check(v)) { + PyObject *orig_v = v; + Py_INCREF(orig_v); v = _PyNumber_Index(v); + Py_DECREF(orig_v); if (NULL == v) { return -1; } @@ -468,7 +471,10 @@ LL_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) int do_decref = 0; /* if nb_int was called */ if (!PyLong_Check(v)) { + PyObject *orig_v = v; + Py_INCREF(orig_v); v = _PyNumber_Index(v); + Py_DECREF(orig_v); if (NULL == v) { return -1; } @@ -521,7 +527,10 @@ QQ_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) int do_decref = 0; /* if nb_int was called */ if (!PyLong_Check(v)) { + PyObject *orig_v = v; + Py_INCREF(orig_v); v = _PyNumber_Index(v); + Py_DECREF(orig_v); if (NULL == v) { return -1; } From 57f0113d8e07e0f8f906b4834b5d55a448107afd Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Thu, 22 Jan 2026 10:18:18 +0000 Subject: [PATCH 02/10] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20b?= =?UTF-8?q?lurb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst diff --git a/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst b/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst new file mode 100644 index 00000000000000..e4a57561eb30d0 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst @@ -0,0 +1,2 @@ +Fix a crash in array.fromlist() when an element’s __index__ method mutates +the input list during conversion. From 9542d37fc27bdd110c311dcb1f4e7bd7547e6ed9 Mon Sep 17 00:00:00 2001 From: Priyanshu Singh Date: Fri, 23 Jan 2026 19:50:36 +0530 Subject: [PATCH 03/10] Update Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst Co-authored-by: Peter Bierma --- .../Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst b/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst index e4a57561eb30d0..4010695aec980d 100644 --- a/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst +++ b/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst @@ -1,2 +1,2 @@ -Fix a crash in array.fromlist() when an element’s __index__ method mutates -the input list during conversion. +Fix a crash in :meth:`array.array.fromlist` when an element's :meth:`~object.__index__` method mutates +the input list during conversion. From 4b06317e05dd7f59142f465c839431d958923d1e Mon Sep 17 00:00:00 2001 From: priyanshu2282-cyber Date: Fri, 23 Jan 2026 20:14:11 +0530 Subject: [PATCH 04/10] gh-144128: Move news entry to Library section --- .../2026-01-22-10-18-17.gh-issue-144128.akwY06.rst | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Misc/NEWS.d/next/{Security => Library}/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst (100%) diff --git a/Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst b/Misc/NEWS.d/next/Library/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst similarity index 100% rename from Misc/NEWS.d/next/Security/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst rename to Misc/NEWS.d/next/Library/2026-01-22-10-18-17.gh-issue-144128.akwY06.rst From e29c15dbdc5770efe5e90b8bd2af625ced58fd4c Mon Sep 17 00:00:00 2001 From: priyanshu2282-cyber Date: Fri, 23 Jan 2026 20:44:57 +0530 Subject: [PATCH 05/10] gh-144128: Address review feedback --- Lib/test/test_array.py | 15 ++++++++------- Modules/arraymodule.c | 6 +++--- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py index d166c315bc7103..8ff9ae393326b4 100755 --- a/Lib/test/test_array.py +++ b/Lib/test/test_array.py @@ -77,13 +77,14 @@ def __index__(self): return "not an int" for typecode in ('I', 'L', 'Q'): - lst = [] - e = Evil(lst) - lst.append(e) - del e - a = array.array(typecode) - with self.assertRaises(TypeError): - a.fromlist(lst) + with self.subTest(typecode=typecode): + lst = [] + e = Evil(lst) + lst.append(e) + del e + a = array.array(typecode) + with self.assertRaises(TypeError): + a.fromlist(lst) diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 193b3e7b0ba635..1ff459de7b639e 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -410,7 +410,7 @@ II_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) if (!PyLong_Check(v)) { PyObject *orig_v = v; Py_INCREF(orig_v); - v = _PyNumber_Index(v); + v = _PyNumber_Index(orig_v); Py_DECREF(orig_v); if (NULL == v) { return -1; @@ -473,7 +473,7 @@ LL_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) if (!PyLong_Check(v)) { PyObject *orig_v = v; Py_INCREF(orig_v); - v = _PyNumber_Index(v); + v = _PyNumber_Index(orig_v); Py_DECREF(orig_v); if (NULL == v) { return -1; @@ -529,7 +529,7 @@ QQ_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) if (!PyLong_Check(v)) { PyObject *orig_v = v; Py_INCREF(orig_v); - v = _PyNumber_Index(v); + v = _PyNumber_Index(orig_v); Py_DECREF(orig_v); if (NULL == v) { return -1; From 4b88d1694bbab92bdc24d3506f29df5579cf1b6e Mon Sep 17 00:00:00 2001 From: Priyanshu Singh Date: Fri, 23 Jan 2026 20:53:50 +0530 Subject: [PATCH 06/10] Update Lib/test/test_array.py Co-authored-by: Victor Stinner --- Lib/test/test_array.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py index 8ff9ae393326b4..d7df9bdebaf132 100755 --- a/Lib/test/test_array.py +++ b/Lib/test/test_array.py @@ -79,9 +79,7 @@ def __index__(self): for typecode in ('I', 'L', 'Q'): with self.subTest(typecode=typecode): lst = [] - e = Evil(lst) - lst.append(e) - del e + lst.append(Evil(lst)) a = array.array(typecode) with self.assertRaises(TypeError): a.fromlist(lst) From 40cb9232ca7650542c3a7bacbcfa12b63db34e74 Mon Sep 17 00:00:00 2001 From: priyanshu2282-cyber Date: Fri, 23 Jan 2026 22:12:26 +0530 Subject: [PATCH 07/10] gh-144128: Apply review feedback for array.fromlist --- Lib/test/test_array.py | 1 - Modules/arraymodule.c | 30 +++++++++++++++--------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/Lib/test/test_array.py b/Lib/test/test_array.py index d7df9bdebaf132..b49df029f0326f 100755 --- a/Lib/test/test_array.py +++ b/Lib/test/test_array.py @@ -85,7 +85,6 @@ def __index__(self): a.fromlist(lst) - # Machine format codes. # # Search for "enum machine_format_code" in Modules/arraymodule.c to get the diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 1ff459de7b639e..9cbc973c823727 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -408,13 +408,13 @@ II_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) int do_decref = 0; /* if nb_int was called */ if (!PyLong_Check(v)) { - PyObject *orig_v = v; - Py_INCREF(orig_v); - v = _PyNumber_Index(orig_v); - Py_DECREF(orig_v); - if (NULL == v) { + Py_INCREF(v); + PyObject *res = _PyNumber_Index(v); + Py_DECREF(v); + if (NULL == res) { return -1; } + v=res; do_decref = 1; } x = PyLong_AsUnsignedLong(v); @@ -471,13 +471,13 @@ LL_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) int do_decref = 0; /* if nb_int was called */ if (!PyLong_Check(v)) { - PyObject *orig_v = v; - Py_INCREF(orig_v); - v = _PyNumber_Index(orig_v); - Py_DECREF(orig_v); - if (NULL == v) { + Py_INCREF(v); + PyObject *res = _PyNumber_Index(v); + Py_DECREF(v); + if (NULL == res) { return -1; } + v=res; do_decref = 1; } x = PyLong_AsUnsignedLong(v); @@ -527,13 +527,13 @@ QQ_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) int do_decref = 0; /* if nb_int was called */ if (!PyLong_Check(v)) { - PyObject *orig_v = v; - Py_INCREF(orig_v); - v = _PyNumber_Index(orig_v); - Py_DECREF(orig_v); - if (NULL == v) { + Py_INCREF(v); + PyObject *res = _PyNumber_Index(v); + Py_DECREF(v); + if (NULL == res) { return -1; } + v=res; do_decref = 1; } x = PyLong_AsUnsignedLongLong(v); From 0683272ddba954ee8d8df9f3f05061ea3a2995ab Mon Sep 17 00:00:00 2001 From: Priyanshu Singh Date: Fri, 23 Jan 2026 22:46:17 +0530 Subject: [PATCH 08/10] Update Modules/arraymodule.c Co-authored-by: Victor Stinner --- Modules/arraymodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 9cbc973c823727..96147516ebd0e1 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -414,7 +414,7 @@ II_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) if (NULL == res) { return -1; } - v=res; + v = res; do_decref = 1; } x = PyLong_AsUnsignedLong(v); From 6210264c947a5bbdf72aabcd200e4bbe5b381817 Mon Sep 17 00:00:00 2001 From: Priyanshu Singh Date: Fri, 23 Jan 2026 22:46:27 +0530 Subject: [PATCH 09/10] Update Modules/arraymodule.c Co-authored-by: Victor Stinner --- Modules/arraymodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 96147516ebd0e1..0a4b007dfd6f8e 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -477,7 +477,7 @@ LL_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) if (NULL == res) { return -1; } - v=res; + v = res; do_decref = 1; } x = PyLong_AsUnsignedLong(v); From e3be1e528b1b285e926efac83f9fd0a3502a8b3e Mon Sep 17 00:00:00 2001 From: Priyanshu Singh Date: Fri, 23 Jan 2026 22:46:37 +0530 Subject: [PATCH 10/10] Update Modules/arraymodule.c Co-authored-by: Victor Stinner --- Modules/arraymodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/arraymodule.c b/Modules/arraymodule.c index 0a4b007dfd6f8e..5769a796b18902 100644 --- a/Modules/arraymodule.c +++ b/Modules/arraymodule.c @@ -533,7 +533,7 @@ QQ_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v) if (NULL == res) { return -1; } - v=res; + v = res; do_decref = 1; } x = PyLong_AsUnsignedLongLong(v);