From 671360161f0b7a5ff4c1d062e570962e851b4bde Mon Sep 17 00:00:00 2001
From: kcatss <kcats9731@gmail.com>
Date: Thu, 15 Feb 2024 01:08:26 +0900
Subject: [PATCH] gh-115243: Fix crash in deque.index() when the deque is
 concurrently modified (GH-115247)

---
 Lib/test/test_deque.py                                      | 6 +++++-
 .../Security/2024-02-12-00-33-01.gh-issue-115243.e1oGX8.rst | 1 +
 Modules/_collectionsmodule.c                                | 3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2024-02-12-00-33-01.gh-issue-115243.e1oGX8.rst

diff --git a/Lib/test/test_deque.py b/Lib/test/test_deque.py
index ae1dfacd726..4679f297fd7 100644
--- a/Lib/test/test_deque.py
+++ b/Lib/test/test_deque.py
@@ -166,7 +166,7 @@ class TestBasic(unittest.TestCase):
         with self.assertRaises(RuntimeError):
             n in d
 
-    def test_contains_count_stop_crashes(self):
+    def test_contains_count_index_stop_crashes(self):
         class A:
             def __eq__(self, other):
                 d.clear()
@@ -178,6 +178,10 @@ class TestBasic(unittest.TestCase):
         with self.assertRaises(RuntimeError):
             _ = d.count(3)
 
+        d = deque([A()])
+        with self.assertRaises(RuntimeError):
+            d.index(0)
+
     def test_extend(self):
         d = deque('a')
         self.assertRaises(TypeError, d.extend, 1)
diff --git a/Misc/NEWS.d/next/Security/2024-02-12-00-33-01.gh-issue-115243.e1oGX8.rst b/Misc/NEWS.d/next/Security/2024-02-12-00-33-01.gh-issue-115243.e1oGX8.rst
new file mode 100644
index 00000000000..ae0e910c7d1
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2024-02-12-00-33-01.gh-issue-115243.e1oGX8.rst
@@ -0,0 +1 @@
+Fix possible crashes in :meth:`collections.deque.index` when the deque is concurrently modified.
diff --git a/Modules/_collectionsmodule.c b/Modules/_collectionsmodule.c
index ef77d34b10e..4fa76d62bc3 100644
--- a/Modules/_collectionsmodule.c
+++ b/Modules/_collectionsmodule.c
@@ -1218,8 +1218,9 @@ deque_index_impl(dequeobject *deque, PyObject *v, Py_ssize_t start,
     n = stop - i;
     while (--n >= 0) {
         CHECK_NOT_END(b);
-        item = b->data[index];
+        item = Py_NewRef(b->data[index]);
         cmp = PyObject_RichCompareBool(item, v, Py_EQ);
+        Py_DECREF(item);
         if (cmp > 0)
             return PyLong_FromSsize_t(stop - n - 1);
         if (cmp < 0)