summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Riccio <test35965@gmail.com>2020-03-30 21:15:59 (GMT)
committerGitHub <noreply@github.com>2020-03-30 21:15:59 (GMT)
commit51e3e450fbed46198d9be92add1a5dee6a1f7f41 (patch)
tree14d0f753604a99b7759994a7f0c61da61abedc94
parentfc2d8d62af25be90f5fd490df141a775d9619b23 (diff)
downloadcpython-51e3e450fbed46198d9be92add1a5dee6a1f7f41.zip
cpython-51e3e450fbed46198d9be92add1a5dee6a1f7f41.tar.gz
cpython-51e3e450fbed46198d9be92add1a5dee6a1f7f41.tar.bz2
bpo-40020: Fix realloc leak on failure in growable_comment_array_add (GH-19083)
Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath. Realloc returns a null pointer on failure, and then growable_comment_array_deallocate crashes later when it dereferences it.
-rw-r--r--Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst1
-rw-r--r--Parser/parsetok.c8
2 files changed, 6 insertions, 3 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst
new file mode 100644
index 0000000..948404b
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst
@@ -0,0 +1 @@
+Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath.
diff --git a/Parser/parsetok.c b/Parser/parsetok.c
index 554455d..cb94721 100644
--- a/Parser/parsetok.c
+++ b/Parser/parsetok.c
@@ -37,11 +37,13 @@ growable_comment_array_init(growable_comment_array *arr, size_t initial_size) {
static int
growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) {
if (arr->num_items >= arr->size) {
- arr->size *= 2;
- arr->items = realloc(arr->items, arr->size * sizeof(*arr->items));
- if (!arr->items) {
+ size_t new_size = arr->size * 2;
+ void *new_items_array = realloc(arr->items, new_size * sizeof(*arr->items));
+ if (!new_items_array) {
return 0;
}
+ arr->items = new_items_array;
+ arr->size = new_size;
}
arr->items[arr->num_items].lineno = lineno;