cpython icon indicating copy to clipboard operation
cpython copied to clipboard
Published 1 week ago verified publisher icon python

gh-143378: Fix UAF when `BytesIO` is concurrently mutated during `write` operations

Open superboy-zjc opened this issue 2 weeks ago • 6 comments

PyObject_GetBuffer() can execute user code (e.g. via buffer), which may close or otherwise mutate a BytesIO object while write() or writelines() is in progress. This could invalidate the internal buffer and lead to a use-after-free.

Temporarily bump the exports counter while acquiring the input buffer to block re-entrant mutation, and add regression tests to ensure such cases raise BufferError instead of crashing.

  • Issue: gh-143378

superboy-zjc avatar Jan 04 '26 04:01 superboy-zjc