Reference Counting (Use-After-Free) Bugs for `PyList_SetItem`

### Related PR

#885 

### Description

A reference to item is incorrectly decremented after a failed PyList_SetItem call, leading to a potential use-after-free vulnerability or double-decrement crash.

### Affected Code

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L297-L301

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L322-L326

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L345-L349

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L471-L474

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L532-L536

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L551-L556

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexseqobject.c#L568-L573

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/pyhelpers.c#L86-L90

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L283-L287

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L661-L664

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L722-L728

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L880-L883

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L936-L942

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L984-L988

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L998-L1002

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1072-L1076

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1116-L1120

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1149-L1153

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1209-L1214

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1246-L1250

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1292-L1296

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1326-L1331

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/attributes.c#L1385-L1390

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeobject.c#L395-L396

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeobject.c#L408-L412

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeobject.c#L416-L420

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexobject.c#L526-L527

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexobject.c#L539-L543

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexobject.c#L547-L551

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexobject.c#L641-L644

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/vertexobject.c#L686-L689

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/indexing.c#L342-L345

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/indexing.c#L404-L407

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L312-L316

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L337-L341

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L361-L365

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L497-L500

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L518-L522

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L562-L566

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L581-L585

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/edgeseqobject.c#L598-L602

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/operators.c#L156-L163

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/operators.c#L167-L173

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/operators.c#L281-L288

https://github.com/igraph/python-igraph/blob/5a451e6e1bfc3bac9ed3fff85df3607a1cedbc99/src/_igraph/operators.c#L292-L298

### Root Cause

[PyList_SetItem Source Code](https://github.com/python/cpython/blob/a126893fa80c4ee5f0bac8a84a49491c19edd511/Objects/listobject.c#L454)

[PyList_SetItem Document](https://docs.python.org/3/c-api/list.html#c.PyList_SetItem)

[PyList_SetItem Python Forum Discussion](https://discuss.python.org/t/proper-handling-of-pylist-setitem-return-value-and-reference-stealing-in-cpython-c-extensions/105805)

Therefore, whether the function succeeds or fails, it will steal a reference count of the third argument. It must not call `Py_XDECREF/Py_DECREF` in case of failure.

### Evidence：Reference Counting and Ownership in CPython Native API

#### Borrowed Reference
A borrowed reference is a reference obtained from an object that you don't own. You don't need to decrement its reference count when you're done with it, but you must ensure the object stays alive while you're using it (e.g., by creating an owned reference with `Py_INCREF` if necessary). Borrowed references are typically returned by functions like `PyList_GetItem()`, which returns an item from a list without incrementing its reference count.

#### New Reference
A new reference (also called an "owned reference") is a reference that you have ownership of. When you receive a new reference from a function (such as `PyObject_New()` or `Py_BuildValue()`), you are responsible for calling `Py_DECREF()` on it when you no longer need it to properly decrement its reference count. Failure to do so causes memory leaks.

#### Stolen Reference (Stealing)

A stolen reference is when a function takes ownership of a reference you pass to it. When you pass an object reference to a function that "steals" it, you no longer own that reference, and you should **not** call `Py_DECREF()` on it afterward. The function assumes full responsibility for managing the reference count of that object.

##### Example: `PyList_SetItem`

`PyList_SetItem` is a classic example of a reference-stealing function. According to the documentation:

> "Set the item at index *index* in list to *item*. Return 0 on success. If index is out of bounds, return -1 and set an IndexError exception. **Note: This function 'steals' a reference to *item* and discards a reference to an item already in the list at the affected position.**"

However, a critical ambiguity in the documentation is that it does **not** clearly state whether the reference is stolen in the case of function failure. This is fundamentally an **all-or-nothing problem**: when you pass an object to a stealing function, you must understand whether ownership is unconditionally transferred or only transferred on success.

Looking at the CPython source code clarifies this behavior:

```C
int
PyList_SetItem(PyObject *op, Py_ssize_t i,
               PyObject *newitem)
{
    if (!PyList_Check(op)) {
        Py_XDECREF(newitem);
        PyErr_BadInternalCall();
        return -1;
    }
    // ...
}
```

As demonstrated in the source code above, `PyList_SetItem` unconditionally calls `Py_XDECREF(newitem)` when the type check fails—meaning it **always** steals the reference, even on failure. The function takes ownership of `newitem` regardless of whether it successfully inserts the item into the list.

This behavior has serious implications for correct API usage. Consider the following **incorrect** code:

```C
if (PyList_SetItem(a, b, something) < 0) {
    Py_DECREF(something);  // DANGER: Use-After-Free!
}
```

This code is defective because it leads to a **use-after-free** vulnerability. Since `PyList_SetItem` already stole the reference (and decremented it on failure via `Py_XDECREF`), the additional `Py_DECREF(something)` in the error-handling block causes a double decrement, potentially leading to an assertion failure in debug builds or memory corruption and crashes in release builds.

The correct pattern is simply:

```C
if (PyList_SetItem(a, b, something) < 0) {
    // Do NOT call Py_DECREF on 'something' - the reference was already stolen
    return NULL;  // or handle error appropriately
}
```

In summary, when dealing with stealing functions in the CPython API, you must relinquish all ownership responsibility for the passed reference and **never** decrement it after the call, regardless of the return value. Always consult the source code or thoroughly documented behavior to confirm whether a function truly provides an all-or-nothing stealing guarantee.

	if (PyList_SetItem(result, i, item)) {
	Py_DECREF(item);
	Py_DECREF(result);
	return 0;
	}

	if (PyList_SetItem(result, i, item)) {
	Py_DECREF(item);
	Py_DECREF(result);
	return 0;
	}

	if (PyList_SetItem(result, i, item)) {
	Py_DECREF(item);
	Py_DECREF(result);
	return 0;
	}

	if (PyList_SetItem(list, i, item)) {
	Py_DECREF(item);
	return -1;
	} /* PyList_SetItem stole a reference to the item automatically */

	if (PyList_SetItem(list, VECTOR(vs)[i], item)) {
	Py_DECREF(item);
	igraph_vector_int_destroy(&vs);
	return -1;
	} /* PyList_SetItem stole a reference to the item automatically */

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reference Counting (Use-After-Free) Bugs for `PyList_SetItem` #884

Related PR

Description

Affected Code

Root Cause

Evidence：Reference Counting and Ownership in CPython Native API

Borrowed Reference

New Reference

Stolen Reference (Stealing)

Example: `PyList_SetItem`

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	if (PyList_SetItem(list, i, Py_None)) {
	Py_DECREF(Py_None);
	Py_DECREF(list);
	igraph_vector_int_destroy(&vs);
	return -1;
	}

	if (PyList_SetItem(values, i, Py_None)) { /* reference stolen */
	Py_DECREF(values);
	Py_DECREF(Py_None);
	return 0;
	}

	if (PyList_SetItem(value, i + j, o)) {
	Py_DECREF(o); /* append failed */
	o = NULL; /* indicate error */
	} else {

	if (PyList_SetItem(newlist, i, o)) {
	PyErr_PrintEx(0);
	Py_DECREF(o);
	Py_DECREF(newlist);
	Py_DECREF(newdict);
	IGRAPH_ERROR("", IGRAPH_FAILURE);
	}

	if (PyList_SetItem(list, j, item)) { /* reference to item stolen */
	Py_DECREF(item);
	Py_DECREF(res);
	return 0;
	}

	if (PyList_SetItem(res, i, item)) { /* reference to item stolen */
	Py_DECREF(item);
	Py_DECREF(res);
	return 0;
	}

	if (PyList_SetItem(res, i, item)) { /* reference to item stolen */
	Py_DECREF(item);
	Py_DECREF(random_func);
	Py_DECREF(res);
	return 0;
	}

	if (PyList_SetItem(res, i, item)) {
	Py_DECREF(item);
	Py_DECREF(list);
	Py_DECREF(res);
	return 0;
	}

	r=PyList_SetItem(result, self->idx, v);
	if (r == -1) { Py_DECREF(v); }

	if (PyList_SetItem(result, i, Py_None) == -1) {
	Py_DECREF(Py_None);
	Py_DECREF(result);
	return -1;
	}

	if (PyList_SetItem(obj, i, edge)) { /* reference to v stolen, reference to idx discarded */
	Py_DECREF(edge);
	return NULL;
	}

	if (PyList_SetItem(obj, i, v)) { /* reference to v stolen, reference to idx discarded */
	Py_DECREF(v);
	return NULL;
	}

	if (PyList_SetItem(values, eid, new_value)) {
	Py_DECREF(new_value);
	igraph_vector_int_clear(&data->to_add);
	}

	if (PyList_SetItem(result, i, v) == -1) {
	Py_DECREF(v);
	Py_DECREF(result);
	return -1;
	}

	if (PyList_SetItem(values, eid, item)) {
	Py_DECREF(item);
	igraph_vector_int_clear(&data->to_add);
	}

	if (PyList_SetItem(list, VECTOR(es)[i], item)) {
	Py_DECREF(item);
	igraph_vector_int_destroy(&es);
	return -1;
	} /* PyList_SetItem stole a reference to the item automatically */

	if (!dest \|\| PyList_SetItem(emi, j, dest)) {
	igraph_vector_ptr_destroy(&gs);
	igraph_vector_int_list_destroy(&edgemaps);
	Py_XDECREF(dest);
	Py_DECREF(emi);
	Py_DECREF(em_list);
	return NULL;
	}

	if (!emi \|\| PyList_SetItem(em_list, i, emi)) {
	igraph_vector_ptr_destroy(&gs);
	igraph_vector_int_list_destroy(&edgemaps);
	Py_XDECREF(emi);
	Py_DECREF(em_list);
	return NULL;
	}

Reference Counting (Use-After-Free) Bugs for PyList_SetItem #884

Description

Related PR

Description

Affected Code

Root Cause

Evidence：Reference Counting and Ownership in CPython Native API

Borrowed Reference

New Reference

Stolen Reference (Stealing)

Example: PyList_SetItem

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Reference Counting (Use-After-Free) Bugs for `PyList_SetItem` #884

Example: `PyList_SetItem`