Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().

Original patch by John Leitch.

3 files changed, 15 insertions, 1 deletions

diff --git a/Lib/test/test_lzma.py b/Lib/test/test_lzma.py
index 6c698e2..afd2767 100644
--- a/Lib/test/test_lzma.py
+++ b/Lib/test/test_lzma.py
@@ -246,6 +246,15 @@ class CompressorDecompressorTestCase(unittest.TestCase):
         lzd = LZMADecompressor(lzma.FORMAT_RAW, filters=FILTERS_RAW_1)
         self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_XZ)
 
+    def test_decompressor_bug_28275(self):
+        # Test coverage for Issue 28275
+        lzd = LZMADecompressor()
+        for i in range(2):
+            try:
+                lzd.decompress(COMPRESSED_RAW_1)
+            except LZMAError:
+                pass
+
     # Test that LZMACompressor->LZMADecompressor preserves the input data.
 
     def test_roundtrip_xz(self):
diff --git a/Misc/NEWS b/Misc/NEWS
index ddaf9475..661402f 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -80,6 +80,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+  Original patch by John Leitch.
+
 - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
   if pass invalid string-like object as a name.  Patch by Xiang Zhang.
 
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
index bc01ffe..74c301d 100644
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@@ -1005,8 +1005,10 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     }
 
     result = decompress_buf(d, max_length);
-    if(result == NULL)
+    if (result == NULL) {
+        lzs->next_in = NULL;
         return NULL;
+    }
 
     if (d->eof) {
         d->needs_input = 0;