gh-146065: Fix NULL dereference in FutureIter_am_send

Author: VanshAgarwal24036

Lib/test/test_asyncio/test_futures.py

@@ -755,6 +755,21 @@ def test_future_disallow_multiple_initialization(self):
         with self.assertRaises(RuntimeError, msg="is already initialized"):
             f.__init__(loop=self.loop)
 
+    def test_futureiter_send_after_throw_no_crash(self):
+        async def exploit():
+            loop = asyncio.get_event_loop()
+            fut = loop.create_future()
+            it = fut.__await__()
+            it.__next__()
+            try:
+                it.throw(RuntimeError)
+            except RuntimeError:
+                pass
+            with self.assertRaises(StopIteration):
+                it.send(None)
+        asyncio.run(exploit())
+
+
 @unittest.skipUnless(hasattr(futures, '_CFuture'),
                      'requires the C _asyncio module')
 class CFutureTests(BaseFutureTests, test_utils.TestCase):

Misc/NEWS.d/next/Library/2026-03-23-00-04-13.gh-issue-146065.FIdn8D.rst

@@ -0,0 +1,2 @@
+Fix a NULL pointer dereference in asyncio.Future iterator when send() is
+called after throw() or close(), which previously could cause a crash.

Modules/_asynciomodule.c

@@ -1872,6 +1872,11 @@ FutureIter_am_send(PyObject *op,
                    PyObject **result)
 {
     futureiterobject *it = (futureiterobject*)op;
+    if (it->future == NULL) {
+        PyErr_SetNone(PyExc_StopIteration);
+        *result = NULL;
+        return PYGEN_RETURN;
+    }
     /* arg is unused, see the comment on FutureIter_send for clarification */
     PySendResult res;
     Py_BEGIN_CRITICAL_SECTION(it->future);