From d5b9513438ee3a4548edac7ec46605d3668974ac Mon Sep 17 00:00:00 2001
From: Pieter Eendebak <pieter.eendebak@gmail.com>
Date: Mon, 2 Mar 2026 12:02:14 +0100
Subject: [PATCH 1/5] Fix null pointer deref in md5module.c

---
 Modules/md5module.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Modules/md5module.c b/Modules/md5module.c
index 56e9faf4c62002..d5a5fc35801c85 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -87,7 +87,9 @@ static void
 MD5_dealloc(PyObject *op)
 {
     MD5object *ptr = _MD5object_CAST(op);
+    if (ptr->hash_state != NULL) {
     Hacl_Hash_MD5_free(ptr->hash_state);
+    }
     PyTypeObject *tp = Py_TYPE(op);
     PyObject_GC_UnTrack(ptr);
     PyObject_GC_Del(ptr);

From 6cc205c54570a4f424e86d5a6bc48b0cd470acd0 Mon Sep 17 00:00:00 2001
From: Pieter Eendebak <pieter.eendebak@gmail.com>
Date: Mon, 2 Mar 2026 15:45:53 +0100
Subject: [PATCH 2/5] pep7

---
 Modules/md5module.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/md5module.c b/Modules/md5module.c
index d5a5fc35801c85..845b7d8d694dee 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -88,7 +88,7 @@ MD5_dealloc(PyObject *op)
 {
     MD5object *ptr = _MD5object_CAST(op);
     if (ptr->hash_state != NULL) {
-    Hacl_Hash_MD5_free(ptr->hash_state);
+        Hacl_Hash_MD5_free(ptr->hash_state);
     }
     PyTypeObject *tp = Py_TYPE(op);
     PyObject_GC_UnTrack(ptr);

From 330128ffda88aa3c5d1344a97243f8f78380c302 Mon Sep 17 00:00:00 2001
From: Pieter Eendebak <pieter.eendebak@gmail.com>
Date: Mon, 2 Mar 2026 20:37:04 +0100
Subject: [PATCH 3/5] review comments

---
 Modules/hmacmodule.c | 10 ++++++----
 Modules/md5module.c  |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/Modules/hmacmodule.c b/Modules/hmacmodule.c
index f074f24807703c..6fb0ec8458ac67 100644
--- a/Modules/hmacmodule.c
+++ b/Modules/hmacmodule.c
@@ -1378,9 +1378,8 @@ static void
 py_hmac_hinfo_ht_free(void *hinfo)
 {
     py_hmac_hinfo *entry = (py_hmac_hinfo *)hinfo;
-    assert(entry->display_name != NULL);
     if (--(entry->refcnt) == 0) {
-        Py_CLEAR(entry->display_name);
+        Py_XCLEAR(entry->display_name);
         PyMem_Free(hinfo);
     }
 }
@@ -1457,7 +1456,9 @@ py_hmac_hinfo_ht_new(void)
         do {                                                    \
             int rc = py_hmac_hinfo_ht_add(table, KEY, value);   \
             if (rc < 0) {                                       \
-                PyMem_Free(value);                              \
+                if (value->refcnt == 0) {                       \
+                    PyMem_Free(value);                          \
+                }                                               \
                 goto error;                                     \
             }                                                   \
             else if (rc == 1) {                                 \
@@ -1474,7 +1475,8 @@ py_hmac_hinfo_ht_new(void)
             e->hashlib_name == NULL ? e->name : e->hashlib_name
         );
         if (value->display_name == NULL) {
-            PyMem_Free(value);
+            /* value is owned by the table (refcnt > 0), so
+               _Py_hashtable_destroy() will free it. */
             goto error;
         }
     }
diff --git a/Modules/md5module.c b/Modules/md5module.c
index 845b7d8d694dee..e598b1fe67240d 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -89,6 +89,7 @@ MD5_dealloc(PyObject *op)
     MD5object *ptr = _MD5object_CAST(op);
     if (ptr->hash_state != NULL) {
         Hacl_Hash_MD5_free(ptr->hash_state);
+        ptr->hash_state = NULL;
     }
     PyTypeObject *tp = Py_TYPE(op);
     PyObject_GC_UnTrack(ptr);

From aae8d2227f6e9b1c99945e0b6ee94b3a80d67fa4 Mon Sep 17 00:00:00 2001
From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 19:41:44 +0000
Subject: [PATCH 4/5] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?=
 =?UTF-8?q?rb=5Fit.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst  | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst

diff --git a/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
new file mode 100644
index 00000000000000..466b9a9117d85d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
@@ -0,0 +1 @@
+Fix double free and null pointer dereference in unusual error scenarios in :mod:`md5module` and :mod:`hmacmodule`.

From 3aa0033450c213078b844493da0a219488ea1c03 Mon Sep 17 00:00:00 2001
From: Pieter Eendebak <pieter.eendebak@gmail.com>
Date: Mon, 2 Mar 2026 20:46:35 +0100
Subject: [PATCH 5/5] fix

---
 Modules/hmacmodule.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/hmacmodule.c b/Modules/hmacmodule.c
index 6fb0ec8458ac67..d45ddbe58e6d5d 100644
--- a/Modules/hmacmodule.c
+++ b/Modules/hmacmodule.c
@@ -1379,7 +1379,7 @@ py_hmac_hinfo_ht_free(void *hinfo)
 {
     py_hmac_hinfo *entry = (py_hmac_hinfo *)hinfo;
     if (--(entry->refcnt) == 0) {
-        Py_XCLEAR(entry->display_name);
+        Py_CLEAR(entry->display_name);
         PyMem_Free(hinfo);
     }
 }