diff options
| author | Martin Panter <vadmium+py@gmail.com> | 2016-10-01 02:45:17 (GMT) |
|---|---|---|
| committer | Martin Panter <vadmium+py@gmail.com> | 2016-10-01 02:45:17 (GMT) |
| commit | 38317d3318e05832a864d413aa744a48a8975dce (patch) | |
| tree | 8757c1d2116ed1d20aa28b02e0b11f05e9bc3412 | |
| parent | 34b9d14be642be80e9ac10c59004570a7efa5804 (diff) | |
| download | cpython-38317d3318e05832a864d413aa744a48a8975dce.zip cpython-38317d3318e05832a864d413aa744a48a8975dce.tar.gz cpython-38317d3318e05832a864d413aa744a48a8975dce.tar.bz2 | |
Issue #28275: Clean up to avoid use-after-free after bzip decompress failure
| -rw-r--r-- | Lib/test/test_bz2.py | 6 | ||||
| -rw-r--r-- | Lib/test/test_lzma.py | 8 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_bz2module.c | 4 |
4 files changed, 14 insertions, 7 deletions
diff --git a/Lib/test/test_bz2.py b/Lib/test/test_bz2.py index a1e4b8d..478921a 100644 --- a/Lib/test/test_bz2.py +++ b/Lib/test/test_bz2.py @@ -821,6 +821,12 @@ class BZ2DecompressorTest(BaseTest): out.append(bzd.decompress(self.DATA[300:])) self.assertEqual(b''.join(out), self.TEXT) + def test_failure(self): + bzd = BZ2Decompressor() + self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30) + # Previously, a second call could crash due to internal inconsistency + self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30) + class CompressDecompressTest(BaseTest): def testCompress(self): data = bz2.compress(self.TEXT) diff --git a/Lib/test/test_lzma.py b/Lib/test/test_lzma.py index afd2767..16e89d5 100644 --- a/Lib/test/test_lzma.py +++ b/Lib/test/test_lzma.py @@ -249,11 +249,9 @@ class CompressorDecompressorTestCase(unittest.TestCase): def test_decompressor_bug_28275(self): # Test coverage for Issue 28275 lzd = LZMADecompressor() - for i in range(2): - try: - lzd.decompress(COMPRESSED_RAW_1) - except LZMAError: - pass + self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1) + # Previously, a second call could crash due to internal inconsistency + self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1) # Test that LZMACompressor->LZMADecompressor preserves the input data. @@ -95,7 +95,8 @@ Library that they don't call itermonthdates() which can cause datetime.date under/overflow. -- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress(). +- Issue #28275: Fixed possible use after free in the decompress() + methods of the LZMADecompressor and BZ2Decompressor classes. Original patch by John Leitch. - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation() diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c index e3e0eb1..67e1b65 100644 --- a/Modules/_bz2module.c +++ b/Modules/_bz2module.c @@ -534,8 +534,10 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length) } result = decompress_buf(d, max_length); - if(result == NULL) + if(result == NULL) { + bzs->next_in = NULL; return NULL; + } if (d->eof) { d->needs_input = 0; |