diff options
| author | Nadeem Vawda <nadeem.vawda@gmail.com> | 2012-11-11 02:16:44 (GMT) |
|---|---|---|
| committer | Nadeem Vawda <nadeem.vawda@gmail.com> | 2012-11-11 02:16:44 (GMT) |
| commit | ec6dfcffa05414e7ee29cfe88551a3d3dcdaafdc (patch) | |
| tree | 084a9ec3b07d4b337ddac4535324f3e8c117264d | |
| parent | dd1253abdd8564b095f24107547be0b8ce91e653 (diff) | |
| parent | 7ee955550b27af117ddca61deb061e13423cf24b (diff) | |
| download | cpython-ec6dfcffa05414e7ee29cfe88551a3d3dcdaafdc.zip cpython-ec6dfcffa05414e7ee29cfe88551a3d3dcdaafdc.tar.gz cpython-ec6dfcffa05414e7ee29cfe88551a3d3dcdaafdc.tar.bz2 | |
Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
Patch by Serhiy Storchaka.
| -rw-r--r-- | Lib/test/test_zlib.py | 12 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/zlibmodule.c | 2 |
3 files changed, 17 insertions, 0 deletions
diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py index f5180e0..2f6f840 100644 --- a/Lib/test/test_zlib.py +++ b/Lib/test/test_zlib.py @@ -513,6 +513,18 @@ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase): self.assertEqual(dco.unconsumed_tail, b'') self.assertEqual(dco.unused_data, remainder) + def test_flush_with_freed_input(self): + # Issue #16411: decompressor accesses input to last decompress() call + # in flush(), even if this object has been freed in the meanwhile. + input1 = b'abcdefghijklmnopqrstuvwxyz' + input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM' + data = zlib.compress(input1) + dco = zlib.decompressobj() + dco.decompress(data, 1) + del data + data = zlib.compress(input2) + self.assertEqual(dco.flush(), input1[1:]) + if hasattr(zlib.compressobj(), "copy"): def test_compresscopy(self): # Test copying a compression object @@ -80,6 +80,9 @@ Core and Builtins Library ------- +- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access + previously-freed memory. Patch by Serhiy Storchaka. + - Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket(). Original patch by Jeff McNeil. diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c index 9fabb00..5a57fe9 100644 --- a/Modules/zlibmodule.c +++ b/Modules/zlibmodule.c @@ -975,6 +975,8 @@ PyZlib_unflush(compobject *self, PyObject *args) ENTER_ZLIB(self); start_total_out = self->zst.total_out; + self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail); + self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail); self->zst.avail_out = length; self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval); |