bpo-29438: Fixed use-after-free in key sharing dict (python#40)

methane · web-flow · commit 06a4fcb2458c · 2017-02-13T09:16:20.000+09:00
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -10,6 +10,8 @@ Release date: XXXX-XX-XX
 Core and Builtins
 -----------------
 
+- bpo-29438: Fixed use-after-free problem in key sharing dict.
+
 - Issue #29319: Prevent RunMainFromImporter overwriting sys.path[0].
 
 - Issue #29337: Fixed possible BytesWarning when compare the code objects.
diff --git a/Objects/dictobject.c b/Objects/dictobject.c
@@ -3893,20 +3893,18 @@ _PyObjectDict_SetItem(PyTypeObject *tp, PyObject **dictptr,
         }
         if (value == NULL) {
             res = PyDict_DelItem(dict, key);
-            if (cached != ((PyDictObject *)dict)->ma_keys) {
-                CACHED_KEYS(tp) = NULL;
-                DK_DECREF(cached);
-            }
         }
         else {
-            int was_shared = cached == ((PyDictObject *)dict)->ma_keys;
+            int was_shared = (cached == ((PyDictObject *)dict)->ma_keys);
             res = PyDict_SetItem(dict, key, value);
             /* PyDict_SetItem() may call dictresize() and convert split table
              * into combined table.  In such case, convert it to split
              * table again and update type's shared key only when this is
              * the only dict sharing key with the type.
              */
-            if (was_shared && cached != ((PyDictObject *)dict)->ma_keys) {
+            if (was_shared &&
+                    (cached = CACHED_KEYS(tp)) != NULL &&
+                    cached != ((PyDictObject *)dict)->ma_keys) {
                 if (cached->dk_refcnt == 1) {
                     CACHED_KEYS(tp) = make_keys_shared(dict);
                 } else {
