gh-151403: Fix use-after-free when an argv item's __fspath__ mutates args (GH-151404)

tonghuaroot · miss-islington · commit 7964840bc8c7 · 2026-06-13T17:24:01.000Z
--------- (cherry picked from commit 6679ac0) Co-authored-by: tonghuaroot (童话) <tonghuaroot@gmail.com> Co-authored-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>
diff --git a/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst b/Misc/NEWS.d/next/Library/2026-06-12-22-46-31.gh-issue-151403.DalZWh.rst
@@ -0,0 +1,3 @@
+Fixed a crash in :class:`subprocess.Popen` (and ``_posixsubprocess.fork_exec``)
+when an ``argv`` item's :meth:`~os.PathLike.__fspath__` concurrently mutates the
+``args`` sequence being converted.
diff --git a/Modules/_posixsubprocess.c b/Modules/_posixsubprocess.c
@@ -1089,8 +1089,14 @@ subprocess_fork_exec_impl(PyObject *module, PyObject *process_args,
                 goto cleanup;
             }
             borrowed_arg = PySequence_Fast_GET_ITEM(fast_args, arg_num);
-            if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0)
+            /* borrowed_arg is only borrowed; its __fspath__() may run Python
+               that drops fast_args' last reference to it. */
+            Py_INCREF(borrowed_arg);
+            if (PyUnicode_FSConverter(borrowed_arg, &converted_arg) == 0) {
+                Py_DECREF(borrowed_arg);
                 goto cleanup;
+            }
+            Py_DECREF(borrowed_arg);
             PyTuple_SET_ITEM(converted_args, arg_num, converted_arg);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Fixed a crash in :class:`subprocess.Popen` (and ``_posixsubprocess.fork_exec``)
	`2`	+when an ``argv`` item's :meth:`~os.PathLike.__fspath__` concurrently mutates the
	`3`	+``args`` sequence being converted.