UAF in `_BINARY_OP_INPLACE_ADD_UNICODE`

[Fidget-Spinner]

Crash report

What happened?

In Python 3.13, _BINARY_OP_INPLACE_ADD_UNICODE would decref the LHS before passing it to the append function.

cpython/Python/bytecodes.c

Lines 511 to 517 in b3c9faf

	assert(Py_REFCNT(left) >= 2);
	_Py_DECREF_NO_DEALLOC(left);
	PyUnicode_Append(target_local, right);
	_Py_DECREF_SPECIALIZED(right, _PyUnicode_ExactDealloc);
	ERROR_IF(*target_local == NULL, error);
	// The STORE_FAST is already done.
	SKIP_OVER(INLINE_CACHE_ENTRIES_BINARY_OP + 1);

Current main branch calls the close after.

The problem was found by @reidenong (full credits to him also for the description), is that PyUnicode_Append may call realloc and move what's pointed to by LHS. It seems I introduced this in https://github.com/python/cpython/pull/143124/files.

This means closing LHS after the append may cause a use-after-free, if PyUnicode_Append has decided to move the buffer. I have a fix for this.

The good news is that this was only merged last week, and is not in any released version of Python.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

• gh-143403: Fix a UAF in _BINARY_OP_INPLACE_ADD_UNICODE #143404