bpo-45691: Make array of small ints static to fix use-after-free error.

Include/internal/pycore_interp.h

@@ -330,11 +330,6 @@ struct _is {
 
     PyObject *audit_hooks;
 
-    /* Small integers are preallocated in this array so that they
-       can be shared.
-       The integers that are preallocated are those in the range
-       -_PY_NSMALLNEGINTS (inclusive) to _PY_NSMALLPOSINTS (not inclusive).
-    */
     PyLongObject small_ints[_PY_NSMALLNEGINTS + _PY_NSMALLPOSINTS];
     struct _Py_bytes_state bytes;
     struct _Py_unicode_state unicode;

Include/internal/pycore_long.h

@@ -11,28 +11,22 @@ extern "C" {
 #include "pycore_interp.h"        // PyInterpreterState.small_ints
 #include "pycore_pystate.h"       // _PyThreadState_GET()
 
-// Don't call this function but _PyLong_GetZero() and _PyLong_GetOne()
-static inline PyObject* __PyLong_GetSmallInt_internal(int value)
-{
-    PyInterpreterState *interp = _PyInterpreterState_GET();
-    assert(-_PY_NSMALLNEGINTS <= value && value < _PY_NSMALLPOSINTS);
-    size_t index = _PY_NSMALLNEGINTS + value;
-    PyObject *obj = (PyObject*)&interp->small_ints[index];
-    // _PyLong_GetZero(), _PyLong_GetOne() and get_small_int() must not be
-    // called before _PyLong_Init() nor after _PyLong_Fini().
-    assert(obj != NULL);
-    return obj;
-}
+/* Small integers are preallocated in this array so that they
+    can be shared.
+    The integers that are preallocated are those in the range
+    -_PY_NSMALLNEGINTS (inclusive) to _PY_NSMALLPOSINTS (not inclusive).
+*/
+PyAPI_DATA(PyLongObject) _Py_SmallInts[_PY_NSMALLNEGINTS + _PY_NSMALLPOSINTS];
 
 // Return a borrowed reference to the zero singleton.
 // The function cannot return NULL.
 static inline PyObject* _PyLong_GetZero(void)
-{ return __PyLong_GetSmallInt_internal(0); }
+{ return (PyObject *)&_Py_SmallInts[_PY_NSMALLNEGINTS]; }
 
 // Return a borrowed reference to the one singleton.
 // The function cannot return NULL.
 static inline PyObject* _PyLong_GetOne(void)
-{ return __PyLong_GetSmallInt_internal(1); }
+{ return (PyObject *)&_Py_SmallInts[_PY_NSMALLNEGINTS+1]; }
 
 PyObject *_PyLong_Add(PyLongObject *left, PyLongObject *right);
 PyObject *_PyLong_Multiply(PyLongObject *left, PyLongObject *right);

Objects/longobject.c

@@ -5,7 +5,7 @@
 #include "Python.h"
 #include "pycore_bitutils.h"      // _Py_popcount32()
 #include "pycore_interp.h"        // _PY_NSMALLPOSINTS
-#include "pycore_long.h"          // __PyLong_GetSmallInt_internal()
+#include "pycore_long.h"          // _Py_SmallInts
 #include "pycore_object.h"        // _PyObject_InitVar()
 #include "pycore_pystate.h"       // _Py_IsMainInterpreter()
 
@@ -51,7 +51,7 @@ static PyObject *
 get_small_int(sdigit ival)
 {
     assert(IS_SMALL_INT(ival));
-    PyObject *v = __PyLong_GetSmallInt_internal(ival);
+    PyObject *v = (PyObject *)&_Py_SmallInts[_PY_NSMALLNEGINTS + ival];
     Py_INCREF(v);
     return v;
 }
@@ -5827,20 +5827,23 @@ PyLong_GetInfo(void)
     return int_info;
 }
 
+PyLongObject _Py_SmallInts[_PY_NSMALLNEGINTS + _PY_NSMALLPOSINTS] = { 0 };
+
 void
 _PyLong_Init(PyInterpreterState *interp)
 {
-    for (Py_ssize_t i=0; i < NSMALLNEGINTS + NSMALLPOSINTS; i++) {
-        sdigit ival = (sdigit)i - NSMALLNEGINTS;
-        int size = (ival < 0) ? -1 : ((ival == 0) ? 0 : 1);
-        interp->small_ints[i].ob_base.ob_base.ob_refcnt = 1;
-        interp->small_ints[i].ob_base.ob_base.ob_type = &PyLong_Type;
-        interp->small_ints[i].ob_base.ob_size = size;
-        interp->small_ints[i].ob_digit[0] = (digit)abs(ival);
+    if (_Py_SmallInts[0].ob_base.ob_base.ob_refcnt == 0) {
+        for (Py_ssize_t i=0; i < NSMALLNEGINTS + NSMALLPOSINTS; i++) {
+            sdigit ival = (sdigit)i - NSMALLNEGINTS;
+            int size = (ival < 0) ? -1 : ((ival == 0) ? 0 : 1);
+            _Py_SmallInts[i].ob_base.ob_base.ob_refcnt = 1;
+            _Py_SmallInts[i].ob_base.ob_base.ob_type = &PyLong_Type;
+            _Py_SmallInts[i].ob_base.ob_size = size;
+            _Py_SmallInts[i].ob_digit[0] = (digit)abs(ival);
+        }
     }
 }
 
-
 int
 _PyLong_InitTypes(void)
 {