3 files changed, 17 insertions, 0 deletions

diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
index 6d4b2c3..4661c1d 100644
--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
@@ -459,6 +459,18 @@ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase):
                 self.assertEqual(dco.unconsumed_tail, b'')
                 self.assertEqual(dco.unused_data, remainder)
 
+    def test_flush_with_freed_input(self):
+        # Issue #16411: decompressor accesses input to last decompress() call
+        # in flush(), even if this object has been freed in the meanwhile.
+        input1 = b'abcdefghijklmnopqrstuvwxyz'
+        input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM'
+        data = zlib.compress(input1)
+        dco = zlib.decompressobj()
+        dco.decompress(data, 1)
+        del data
+        data = zlib.compress(input2)
+        self.assertEqual(dco.flush(), input1[1:])
+
     if hasattr(zlib.compressobj(), "copy"):
         def test_compresscopy(self):
             # Test copying a compression object
diff --git a/Misc/NEWS b/Misc/NEWS
index 01517e1..ab18f03 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -159,6 +159,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+  previously-freed memory. Patch by Serhiy Storchaka.
+
 - Issue #16357: fix calling accept() on a SSLSocket created through
   SSLContext.wrap_socket().  Original patch by Jeff McNeil.
 
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index 6d4aa3a..6a772ad 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -883,6 +883,8 @@ PyZlib_unflush(compobject *self, PyObject *args)
     ENTER_ZLIB(self);
 
     start_total_out = self->zst.total_out;
+    self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+    self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
     self->zst.avail_out = length;
     self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval);