gh-120298: Fix use-after-free in list_richcompare_impl

[sobolevn]

This code does the same thing as the code above it:

cpython/Objects/listobject.c

Lines 3360 to 3364 in 0ae8579

	Py_INCREF(vitem);
	Py_INCREF(witem);
	int k = PyObject_RichCompareBool(vitem, witem, Py_EQ);
	Py_DECREF(vitem);
	Py_DECREF(witem);

And looks like it gets the job done. I've added tests for these two corner cases.

• Issue: Use After Free in list_richcompare_impl  #120298

[serhiy-storchaka]

What bisect or deque do with this?

What tests were added for the similar case above?

[serhiy-storchaka]

The corresponding test is test_equal_operator_modifying_operand in Lib/test/test_list.py (added in 2d5bf56, GH-17734). You can perhaps just add a case there.

[sobolevn]

Yes, @serhiy-storchaka, you are correct. I simplified the reproduction to:

class evil(object):
    def __lt__(self, other):
        other.clear()
        return NotImplemented

a =   [ [ evil()]]

a[0] < a  # crash without this patch

I've updated tests to store this test near test_equal_operator_modifying_operand. Thanks a lot for the advice!

[serhiy-storchaka]

LGTM.

[miss-islington-app]

Thanks @sobolevn for the PR 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @sobolevn for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13.
🐍🍒⛏🤖

[bedevere-app]

GH-120339 is a backport of this pull request to the 3.12 branch.

[bedevere-app]

GH-120340 is a backport of this pull request to the 3.13 branch.