ctypes: Return existing pointer when possible

s1kpp · s1kpp · commit 36fb19a21032 · 2023-07-24T18:30:18.000+02:00
Addresses gh-46376
diff --git a/Lib/test/test_ctypes/test_keeprefs.py b/Lib/test/test_ctypes/test_keeprefs.py
@@ -98,6 +98,33 @@ def test_p_cint(self):
         x = pointer(i)
         self.assertEqual(x._objects, {'1': i})
 
+    def test_pp_ownership(self):
+        d = c_int(123)
+        n = c_int(456)
+
+        p = pointer(d)
+        pp = pointer(p)
+
+        self.assertIs(pp._objects['1'], p)
+        self.assertIs(pp._objects['0']['1'], d)
+
+        pp.contents.contents = n
+
+        self.assertIs(pp._objects['1'], p)
+        self.assertIs(pp._objects['0']['1'], n)
+
+        self.assertIs(p._objects['1'], n)
+        self.assertEqual(len(p._objects), 1)
+
+        del d
+        del p
+
+        self.assertIs(pp._objects['0']['1'], n)
+        self.assertEqual(len(pp._objects), 2)
+
+        del n
+
+        self.assertEqual(len(pp._objects), 2)
 
 class PointerToStructure(unittest.TestCase):
     def test(self):
diff --git a/Misc/NEWS.d/next/Library/2023-07-24-01-21-16.gh-issue-46376.w-xuDL.rst b/Misc/NEWS.d/next/Library/2023-07-24-01-21-16.gh-issue-46376.w-xuDL.rst
@@ -0,0 +1 @@
+Prevent memory leak and use-after-free when using pointers to pointers with ctypes
diff --git a/Modules/_ctypes/_ctypes.c b/Modules/_ctypes/_ctypes.c
@@ -5129,6 +5129,8 @@ static PyObject *
 Pointer_get_contents(CDataObject *self, void *closure)
 {
     StgDictObject *stgdict;
+    PyObject *keep, *ptr_probe;
+    CDataObject *ptr2ptr;
 
     if (*(void **)self->b_ptr == NULL) {
         PyErr_SetString(PyExc_ValueError,
@@ -5138,6 +5140,33 @@ Pointer_get_contents(CDataObject *self, void *closure)
 
     stgdict = PyObject_stgdict((PyObject *)self);
     assert(stgdict); /* Cannot be NULL for pointer instances */
+
+    keep = GetKeepedObjects(self);
+    if (keep != NULL) {
+        // check if it's a pointer to a pointer:
+        // pointers will have '0' key in the _objects
+        ptr_probe = PyDict_GetItemString(keep, "0");
+
+        if (ptr_probe != NULL) {
+            ptr2ptr = (CDataObject*) PyDict_GetItemString(keep, "1");
+            if (ptr2ptr ==  NULL) {
+                PyErr_SetString(PyExc_ValueError,
+                "Unexpected NULL pointer in _objects");
+                return NULL;
+            }
+            // don't construct a new object,
+            // return existing one instead to preserve refcount
+            assert(
+                *(void**) self->b_ptr == ptr2ptr->b_ptr ||
+                *(void**) self->b_value.c == ptr2ptr->b_ptr ||
+                *(void**) self->b_ptr == ptr2ptr->b_value.c ||
+                *(void**) self->b_value.c == ptr2ptr->b_value.c
+            );
+            Py_INCREF(ptr2ptr);
+            return ptr2ptr;
+        }
+    }
+
     return PyCData_FromBaseObj(stgdict->proto,
                              (PyObject *)self, 0,
                              *(void **)self->b_ptr);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Prevent memory leak and use-after-free when using pointers to pointers with ctypes`