Fix heap buffer overflow in set_clear_internal (GH-143546)

aviralgarg05 · aviralgarg05 · commit 574cb3474e1b · 2026-01-10T01:42:11.000+05:30
Added a bounds check in set_clear_internal to prevent heap buffer overflow when the set is mutated re-entrantly during iteration (e.g. via __eq__).
Added regression test in Lib/test/test_set.py.
diff --git a/Lib/test/test_set.py b/Lib/test/test_set.py
@@ -676,6 +676,42 @@ def __hash__(self):
             myset.discard(elem2)
 
 
+
+    def test_reentrant_clear_in_iand(self):
+        # Issue 143546: Heap buffer overflow in set_clear_internal
+        # via re-entrant __eq__ during set_iand
+        import random
+        aux = {object()}
+        targets = []
+
+        class Victim:
+            def __hash__(self): return 0
+            def __eq__(self, other): return NotImplemented
+
+        class Trigger:
+            def __hash__(self): return 0
+            def __eq__(self, other):
+                if not targets: return False
+                for s in targets:
+                    op = random.randrange(7)
+                    if op == 0: s.clear()
+                    elif op == 1: s.add(Victim())
+                    elif op == 2: s.discard(Victim())
+                    else: s ^= aux
+                return False
+
+        random.seed(0)
+        for _ in range(50):
+            left = {Victim() for _ in range(6)}
+            right = {Victim() for _ in range(6)}
+            for _ in range(3):
+                right.add(Trigger())
+            targets[:] = [left, right]
+            try:
+                left &= right
+            except (RuntimeError, IndexError):
+                pass
+
 class SetSubclass(set):
     pass
 
diff --git a/Objects/setobject.c b/Objects/setobject.c
@@ -678,7 +678,7 @@ set_clear_internal(PyObject *self)
      * assert that the refcount on table is 1 now, i.e. that this function
      * has unique access to it, so decref side-effects can't alter it.
      */
-    for (entry = table; used > 0; entry++) {
+    for (entry = table; used > 0 && entry < table + oldsize; entry++) {
         if (entry->key && entry->key != dummy) {
             used--;
             Py_DECREF(entry->key);
