Boris Staletic <boris.stale...@gmail.com> added the comment:
Oops... I uploaded (and pasted) the wrong file. The /correct/ example can be found here: https://github.com/pybind/pybind11/pull/2797/#pullrequestreview-570541151 However, I have just realized that the example doesn't really need the embedded module. The following also shows the use-after-free: #include <Python.h> static void pybind11_object_dealloc(PyObject *self) { auto type = Py_TYPE(self); type->tp_free(self); Py_DECREF(type); } static PyType_Slot base_slots[] = {{Py_tp_dealloc, (void*)pybind11_object_dealloc}, {0, nullptr}}; static PyType_Spec base_spec{"B", sizeof(PyObject), 0, Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HEAPTYPE, base_slots}; int main() { Py_InitializeEx(1); auto base_type = PyType_FromSpec(&base_spec); auto globals = PyDict_New(); PyDict_SetItemString(globals, "B", base_type); auto derived_t = PyRun_String("def f():\n" " class C:\n" " class D(B):pass\n" " b=D()\n" "f()", Py_file_input, globals, nullptr); Py_DECREF(globals); Py_DECREF(derived_t); Py_Finalize(); } ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42961> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
