Reference leak of seq in set_value_to_item macro on nested sequence error

[Fuyugithub]

Bug Description

In src/_imaging.c, the set_value_to_item macro returns NULL on nested sequence detection without decrementing the seq reference (a new ref from PySequence_Fast).

Location

src/_imaging.c:1607-1614

Code

#define set_value_to_item(seq, i)                                       \
    op = PySequence_Fast_GET_ITEM(seq, i);                              \
    if (PySequence_Check(op)) {                                         \
        PyErr_SetString(PyExc_TypeError, "sequence must be flattened"); \
        return NULL;   /* BUG: seq leaked! */                           \
    } else {                                                            \
        value = PyFloat_AsDouble(op);                                   \
    }

Impact

seq is a new reference from PySequence_Fast() allocated before this macro is called. The macro's return NULL exits the function without Py_DECREF(seq), leaking the reference. This triggers every time Image.putdata() is called with nested sequences (e.g., list of tuples within tuples).

Suggested Fix

#define set_value_to_item(seq, i)                                       \
    op = PySequence_Fast_GET_ITEM(seq, i);                              \
    if (PySequence_Check(op)) {                                         \
        PyErr_SetString(PyExc_TypeError, "sequence must be flattened"); \
        Py_DECREF(seq);                                                 \
        return NULL;                                                    \
    } else {                                                            \
        value = PyFloat_AsDouble(op);                                   \
    }

Environment

• Pillow version: current main
• Affected: Image.putdata() with nested sequence input

[radarhere]

I've created #9684

If you plan to create any more such reports, please follow our security policy.