python · skirpichev · Jan 3, 2026 · Jan 10, 2026 · Jan 10, 2026 · Jan 10, 2026
diff --git a/Include/internal/pycore_pyatomic_ft_wrappers.h b/Include/internal/pycore_pyatomic_ft_wrappers.h
@@ -107,6 +107,8 @@ extern "C"{
  _Py_atomic_store_ulong_relaxed(&value, new_value)
 #define FT_ATOMIC_STORE_SSIZE_RELAXED(value, new_value) \
  _Py_atomic_store_ssize_relaxed(&value, new_value)
+#define FT_ATOMIC_STORE_SSIZE(value, new_value) \
+ _Py_atomic_store_ssize(&value, new_value)
 #define FT_ATOMIC_STORE_FLOAT_RELAXED(value, new_value) \
  _Py_atomic_store_float_relaxed(&value, new_value)
 #define FT_ATOMIC_LOAD_FLOAT_RELAXED(value) \
@@ -151,6 +153,7 @@ extern "C"{
 #define FT_ATOMIC_STORE_INT8_RELAXED(value, new_value) value = new_value
 #define FT_ATOMIC_STORE_INT8_RELEASE(value, new_value) value = new_value
 #define FT_ATOMIC_STORE_SSIZE_RELAXED(value, new_value) value = new_value
+#define FT_ATOMIC_STORE_SSIZE(value, new_value) value = new_value
 #define FT_ATOMIC_STORE_SSIZE_RELEASE(value, new_value) value = new_value
 #define FT_ATOMIC_STORE_UINT8_RELAXED(value, new_value) value = new_value
 #define FT_ATOMIC_STORE_UINT16_RELAXED(value, new_value) value = new_value

diff --git a/Lib/test/test_struct.py b/Lib/test/test_struct.py
@@ -579,7 +579,7 @@ def test_Struct_reinitialization(self):
 
  def check_sizeof(self, format_str, number_of_codes):
  # The size of 'PyStructObject'
- totalsize = support.calcobjsize('2n3P')
+ totalsize = support.calcobjsize('2n3P1n')
  # The size taken up by the 'formatcode' dynamic array
  totalsize += struct.calcsize('P3n0P') * (number_of_codes + 1)
  support.check_sizeof(self, struct.Struct(format_str), totalsize)
@@ -816,6 +816,19 @@ def test_endian_table_init_subinterpreters(self):
  results = executor.map(exec, [code] * 5)
  self.assertListEqual(list(results), [None] * 5)
 
+ def test_Struct_object_mutation_via_dunders(self):
+ S = struct.Struct('?I')
+ buf = array.array('b', b' '*100)
+
+ class Evil():
+ def __bool__(self):
+ # This rebuilds format codes during S.pack().
+ S.__init__('I')
+ return True
+
+ self.assertRaises(RuntimeError, S.pack, Evil(), 1)
+ self.assertRaises(RuntimeError, S.pack_into, buf, 0, Evil(), 1)
+
 
 class UnpackIteratorTest(unittest.TestCase):
  """

diff --git a/Misc/NEWS.d/next/Library/2026-01-03-10-15-32.gh-issue-143379.iz-hU7.rst b/Misc/NEWS.d/next/Library/2026-01-03-10-15-32.gh-issue-143379.iz-hU7.rst
@@ -0,0 +1,4 @@
+Fix use-after-free in :meth:`struct.Struct.pack` when the
+:class:`struct.Struct` object is mutated by dunder methods (like
+:meth:`object.__bool__`) during packing of arguments. Now this trigger
+:exc:`RuntimeError`. Patch by Sergey B Kirpichev.
diff --git a/Modules/_struct.c b/Modules/_struct.c
@@ -70,6 +70,7 @@ typedef struct{
  formatcode *s_codes;
  PyObject *s_format;
  PyObject *weakreflist; /* List of weak references */
+ Py_ssize_t mutex_cnt; /* to prevent mutation during packing */
 } PyStructObject;
 
 #define PyStructObject_CAST(op) ((PyStructObject *)(op))
@@ -1773,6 +1774,7 @@ s_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
  s->s_codes = NULL;
  s->s_size = -1;
  s->s_len = -1;
+ s->mutex_cnt = 0;
  }
  return self;
 }
@@ -1816,6 +1818,11 @@ Struct___init___impl(PyStructObject *self, PyObject *format)
 
  Py_SETREF(self->s_format, format);
 
+ if (FT_ATOMIC_LOAD_SSIZE(self->mutex_cnt)){
+ PyErr_SetString(PyExc_RuntimeError,
+ "Call Struct.__init__() in struct.pack()");
-"Call Struct.__init__() in struct.pack()");
+"cannot call Struct.__init__() in struct.pack()");
-"Call Struct.__init__() in struct.pack()");
+"cannot call Struct.__init__() in struct.pack()");
+ return -1;
+ }
  ret = prepare_s(self);
  return ret;
 }
@@ -2139,7 +2146,7 @@ Struct_iter_unpack_impl(PyStructObject *self, PyObject *buffer)
  * argument for where to start processing the arguments for packing, and a
  * character buffer for writing the packed string. The caller must insure
  * that the buffer may contain the required length for packing the arguments.
- * 0 is returned on success, 1 is returned if there is an error.
+ * 0 is returned on success, -1 is returned if there is an error.
  *
  */
 static int
@@ -2259,10 +2266,15 @@ s_pack(PyObject *self, PyObject *const *args, Py_ssize_t nargs)
  char *buf = PyBytesWriter_GetData(writer);
 
  /* Call the guts */
+ Py_ssize_t prev_cnt = FT_ATOMIC_LOAD_SSIZE(soself->mutex_cnt);
+
+ FT_ATOMIC_ADD_SSIZE(soself->mutex_cnt, 1);
  if ( s_pack_internal(soself, args, 0, buf, state) != 0 ){
+ FT_ATOMIC_STORE_SSIZE(soself->mutex_cnt, prev_cnt);
  PyBytesWriter_Discard(writer);
  return NULL;
  }
+ FT_ATOMIC_STORE_SSIZE(soself->mutex_cnt, prev_cnt);
 
  return PyBytesWriter_FinishWithSize(writer, soself->s_size);
 }
@@ -2360,10 +2372,15 @@ s_pack_into(PyObject *self, PyObject *const *args, Py_ssize_t nargs)
  }
 
  /* Call the guts */
+ Py_ssize_t prev_cnt = FT_ATOMIC_LOAD_SSIZE(soself->mutex_cnt);
+
+ FT_ATOMIC_ADD_SSIZE(soself->mutex_cnt, 1);
  if (s_pack_internal(soself, args, 2, (char*)buffer.buf + offset, state) != 0){
+ FT_ATOMIC_STORE_SSIZE(soself->mutex_cnt, prev_cnt);
  PyBuffer_Release(&buffer);
  return NULL;
  }
+ FT_ATOMIC_STORE_SSIZE(soself->mutex_cnt, prev_cnt);
 
  PyBuffer_Release(&buffer);
  Py_RETURN_NONE;