diff options
| author | Nadeem Vawda <nadeem.vawda@gmail.com> | 2012-11-11 02:19:49 (GMT) |
|---|---|---|
| committer | Nadeem Vawda <nadeem.vawda@gmail.com> | 2012-11-11 02:19:49 (GMT) |
| commit | 9c40022e38ba250c84382e4a4e68a05c0024559d (patch) | |
| tree | 81d54b2a6ff416414ef874ec23a470dc713a5bf2 | |
| parent | 9ea64e38b5e1b947fef9e53e3f63994b79e264e7 (diff) | |
| parent | ec6dfcffa05414e7ee29cfe88551a3d3dcdaafdc (diff) | |
| download | cpython-9c40022e38ba250c84382e4a4e68a05c0024559d.zip cpython-9c40022e38ba250c84382e4a4e68a05c0024559d.tar.gz cpython-9c40022e38ba250c84382e4a4e68a05c0024559d.tar.bz2 | |
Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
Patch by Serhiy Storchaka.
| -rw-r--r-- | Lib/test/test_zlib.py | 12 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/zlibmodule.c | 2 |
3 files changed, 17 insertions, 0 deletions
diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py index f5180e0..2f6f840 100644 --- a/Lib/test/test_zlib.py +++ b/Lib/test/test_zlib.py @@ -513,6 +513,18 @@ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase): self.assertEqual(dco.unconsumed_tail, b'') self.assertEqual(dco.unused_data, remainder) + def test_flush_with_freed_input(self): + # Issue #16411: decompressor accesses input to last decompress() call + # in flush(), even if this object has been freed in the meanwhile. + input1 = b'abcdefghijklmnopqrstuvwxyz' + input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM' + data = zlib.compress(input1) + dco = zlib.decompressobj() + dco.decompress(data, 1) + del data + data = zlib.compress(input2) + self.assertEqual(dco.flush(), input1[1:]) + if hasattr(zlib.compressobj(), "copy"): def test_compresscopy(self): # Test copying a compression object @@ -113,6 +113,9 @@ Core and Builtins Library ------- +- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access + previously-freed memory. Patch by Serhiy Storchaka. + - Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket(). Original patch by Jeff McNeil. diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c index 9e1c2ae..213859f 100644 --- a/Modules/zlibmodule.c +++ b/Modules/zlibmodule.c @@ -975,6 +975,8 @@ PyZlib_unflush(compobject *self, PyObject *args) ENTER_ZLIB(self); start_total_out = self->zst.total_out; + self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail); + self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail); self->zst.avail_out = length; self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval); |