Fix null pointer dereference in array.__setitem__ via re-entrant __index__

Author: aisk

Lib/test/test_array.py

@@ -1680,6 +1680,23 @@ def test_gh_128961(self):
         it.__setstate__(0)
         self.assertRaises(StopIteration, next, it)
 
+    def test_gh_142555(self):
+        # Test for null pointer dereference in array.__setitem__
+        # via re-entrant __index__.
+        victim = array.array('b', [0] * 64)
+
+        class EvilIndex:
+            def __index__(self):
+                # Re-entrant mutation: shrink the array while __setitem__
+                # still holds a pointer to the pre-clear buffer.
+                victim.clear()
+                return 0
+
+        with self.assertRaises(IndexError):
+            victim[1] = EvilIndex()
+
+        self.assertEqual(len(victim), 0)
+
 
 if __name__ == "__main__":
     unittest.main()

Misc/NEWS.d/next/Core_and_Builtins/2025-12-15-02-02-45.gh-issue-142555.EC9QN_.rst

@@ -0,0 +1,3 @@
+Fix null pointer dereference in :class:`array.array.__setitem__` via
+an user-defined ``__index__`` method which modify the array during index
+conversion.

Modules/arraymodule.c

@@ -221,7 +221,17 @@ b_setitem(arrayobject *ap, Py_ssize_t i, PyObject *v)
        the overflow checking */
     if (!PyArg_Parse(v, "h;array item must be integer", &x))
         return -1;
-    else if (x < -128) {
+
+    /* Check buffer validity after PyArg_Parse which may call user-defined
+     * __index__ on v, which might modify the array buffer. See gh-142555.
+     */
+    if (i >= 0 && ap->ob_item == NULL) {
+        PyErr_SetString(PyExc_IndexError,
+            "array assignment index out of range");
+        return -1;
+    }
+
+    if (x < -128) {
         PyErr_SetString(PyExc_OverflowError,
             "signed char is less than minimum");
         return -1;