diff options
author | Alexander Riccio <test35965@gmail.com> | 2020-03-30 21:15:59 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-30 21:15:59 (GMT) |
commit | 51e3e450fbed46198d9be92add1a5dee6a1f7f41 (patch) | |
tree | 14d0f753604a99b7759994a7f0c61da61abedc94 | |
parent | fc2d8d62af25be90f5fd490df141a775d9619b23 (diff) | |
download | cpython-51e3e450fbed46198d9be92add1a5dee6a1f7f41.zip cpython-51e3e450fbed46198d9be92add1a5dee6a1f7f41.tar.gz cpython-51e3e450fbed46198d9be92add1a5dee6a1f7f41.tar.bz2 |
bpo-40020: Fix realloc leak on failure in growable_comment_array_add (GH-19083)
Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath.
Realloc returns a null pointer on failure, and then growable_comment_array_deallocate crashes later when it dereferences it.
-rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst | 1 | ||||
-rw-r--r-- | Parser/parsetok.c | 8 |
2 files changed, 6 insertions, 3 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst new file mode 100644 index 0000000..948404b --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst @@ -0,0 +1 @@ +Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath. diff --git a/Parser/parsetok.c b/Parser/parsetok.c index 554455d..cb94721 100644 --- a/Parser/parsetok.c +++ b/Parser/parsetok.c @@ -37,11 +37,13 @@ growable_comment_array_init(growable_comment_array *arr, size_t initial_size) { static int growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) { if (arr->num_items >= arr->size) { - arr->size *= 2; - arr->items = realloc(arr->items, arr->size * sizeof(*arr->items)); - if (!arr->items) { + size_t new_size = arr->size * 2; + void *new_items_array = realloc(arr->items, new_size * sizeof(*arr->items)); + if (!new_items_array) { return 0; } + arr->items = new_items_array; + arr->size = new_size; } arr->items[arr->num_items].lineno = lineno; |