(arrow) branch main updated: GH-49917: [Python] Remove Py_XDECREF to avoid Use-After-Free on `PyList_SetItem` in `SparseCSFTensorToNdarray` (#49916)

Thu, 07 May 2026 00:38:22 -0700 

This is an automated email from the ASF dual-hosted git repository.

raulcd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/arrow.git


The following commit(s) were added to refs/heads/main by this push:
     new 15c2a3bca9 GH-49917: [Python] Remove Py_XDECREF to avoid 
Use-After-Free on `PyList_SetItem` in `SparseCSFTensorToNdarray` (#49916)
15c2a3bca9 is described below

commit 15c2a3bca9689ce700229cbfe568fd64dc73919f
Author: Wang Rui <[email protected]>
AuthorDate: Thu May 7 15:38:10 2026 +0800

    GH-49917: [Python] Remove Py_XDECREF to avoid Use-After-Free on 
`PyList_SetItem` in `SparseCSFTensorToNdarray` (#49916)
    
    ### Rationale for this change
    
    Py_DECREF(item) in PyList_SetItem will cause Use-After-Free bug if 
`PyList_SetItem(indptr.obj(), i, item) < 0` is `true`, cause `PyList_SetItem` 
always steals a reference to the item, even when it fails.
    
    ### What changes are included in this PR?
    
    1. Remove Py_DECREF(item) in PyList_SetItem error path.
    
    ### Are these changes tested?
    
    By CI.
    
    ### Are there any user-facing changes?
    
    No.
    * GitHub Issue: #49917
    
    Authored-by: Wang Rui <[email protected]>
    Signed-off-by: Raúl Cumplido <[email protected]>
---
 python/pyarrow/src/arrow/python/numpy_convert.cc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/python/pyarrow/src/arrow/python/numpy_convert.cc 
b/python/pyarrow/src/arrow/python/numpy_convert.cc
index fbbfccc871..6e59835286 100644
--- a/python/pyarrow/src/arrow/python/numpy_convert.cc
+++ b/python/pyarrow/src/arrow/python/numpy_convert.cc
@@ -398,7 +398,6 @@ Status SparseCSFTensorToNdarray(const 
std::shared_ptr<SparseCSFTensor>& sparse_t
     PyObject* item;
     RETURN_NOT_OK(TensorToNdarray(sparse_index.indptr()[i], base, &item));
     if (PyList_SetItem(indptr.obj(), i, item) < 0) {
-      Py_XDECREF(item);
       RETURN_IF_PYERROR();
     }
   }
@@ -406,7 +405,6 @@ Status SparseCSFTensorToNdarray(const 
std::shared_ptr<SparseCSFTensor>& sparse_t
     PyObject* item;
     RETURN_NOT_OK(TensorToNdarray(sparse_index.indices()[i], base, &item));
     if (PyList_SetItem(indices.obj(), i, item) < 0) {
-      Py_XDECREF(item);
       RETURN_IF_PYERROR();
     }
   }

Reply via email to