gh-143236: fix _PyEval_LoadName has use-after-free issue

Author: fatelei

Lib/test/test_frame.py

@@ -177,6 +177,31 @@ class C:
             self.clear_traceback_frames(exc.__traceback__)
             self.assertIs(None, wr())
 
+    @support.cpython_only
+    def test_frame_clear_during_load_name(self):
+        def get_frame():
+            try:
+                raise RuntimeError
+            except RuntimeError as e:
+                return e.__traceback__.tb_frame
+
+        frame = get_frame()
+
+        class Fuse(str):
+            cleared = False
+            __hash__ = str.__hash__
+            def __eq__(self, other):
+                if not Fuse.cleared and other == "boom":
+                    Fuse.cleared = True
+                    Fuse.frame.clear()
+                    return False
+                return super().__eq__(other)
+
+        Fuse.frame = frame
+        frame.f_locals[Fuse("boom")] = 0
+        with self.assertRaises(NameError):
+            exec("boom", {}, frame.f_locals)
+
 
 class FrameAttrsTest(unittest.TestCase):
 

Misc/NEWS.d/next/Library/2025-12-30-13-56-40.gh-issue-143236.IxHw2y.rst

@@ -0,0 +1 @@
+Fix a bug in :mod:`ceval` where the load name has use-after-free bug.

Python/ceval.c

@@ -4061,9 +4061,17 @@ _PyEval_LoadName(PyThreadState *tstate, _PyInterpreterFrame *frame, PyObject *na
                             "no locals found");
         return NULL;
     }
-    if (PyMapping_GetOptionalItem(frame->f_locals, name, &value) < 0) {
+
+    PyObject *locals = frame->f_locals;
+    Py_INCREF(locals);
+
+    if (PyMapping_GetOptionalItem(locals, name, &value) < 0) {
+        Py_DECREF(locals);
         return NULL;
     }
+
+    Py_DECREF(locals);
+
     if (value != NULL) {
         return value;
     }