[3.12] gh-120298: Fix use-after-free in list_richcompare_impl (GH-120303) (#120339)

gh-120298: Fix use-after-free in `list_richcompare_impl` (GH-120303)
(cherry picked from commit 141baba)

Co-authored-by: Nikita Sobolev <[email protected]>
Co-authored-by: Serhiy Storchaka <[email protected]>

Author: 3 people

Lib/test/test_list.py

@@ -229,6 +229,17 @@ def __eq__(self, other):
         list4 = [1]
         self.assertFalse(list3 == list4)
 
+    def test_lt_operator_modifying_operand(self):
+        # See gh-120298
+        class evil:
+            def __lt__(self, other):
+                other.clear()
+                return NotImplemented
+
+        a = [[evil()]]
+        with self.assertRaises(TypeError):
+            a[0] < a
+
     @cpython_only
     def test_preallocation(self):
         iterable = [0] * 10

Misc/NEWS.d/next/Core and Builtins/2024-06-10-10-42-48.gh-issue-120298.napREA.rst

@@ -0,0 +1,2 @@
+Fix use-after free in ``list_richcompare_impl`` which can be invoked via
+some specificly tailored evil input.

Objects/listobject.c

@@ -2759,7 +2759,14 @@ list_richcompare(PyObject *v, PyObject *w, int op)
     }
 
     /* Compare the final item again using the proper operator */
-    return PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    PyObject *vitem = vl->ob_item[i];
+    PyObject *witem = wl->ob_item[i];
+    Py_INCREF(vitem);
+    Py_INCREF(witem);
+    PyObject *result = PyObject_RichCompare(vl->ob_item[i], wl->ob_item[i], op);
+    Py_DECREF(vitem);
+    Py_DECREF(witem);
+    return result;
 }
 
 /*[clinic input]