diff options
-rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst | 2 | ||||
-rw-r--r-- | Objects/obmalloc.c | 13 |
2 files changed, 4 insertions, 11 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst new file mode 100644 index 0000000..51026a3 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst @@ -0,0 +1,2 @@ +Fixed a bug in debug memory allocator. There was a write to freed memory +after shrinking a memory block. diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c index f2651d7..1485172 100644 --- a/Objects/obmalloc.c +++ b/Objects/obmalloc.c @@ -1460,7 +1460,7 @@ static void * _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes) { debug_alloc_api_t *api = (debug_alloc_api_t *)ctx; - uint8_t *q = (uint8_t *)p, *oldq; + uint8_t *q = (uint8_t *)p; uint8_t *tail; size_t total; /* nbytes + 4*SST */ size_t original_nbytes; @@ -1477,20 +1477,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes) /* overflow: can't represent total as a Py_ssize_t */ return NULL; - /* Resize and add decorations. We may get a new pointer here, in which - * case we didn't get the chance to mark the old memory with DEADBYTE, - * but we live with that. - */ - oldq = q; + /* Resize and add decorations. */ q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total); if (q == NULL) return NULL; - if (q == oldq && nbytes < original_nbytes) { - /* shrinking: mark old extra memory dead */ - memset(q + nbytes, DEADBYTE, original_nbytes - nbytes); - } - write_size_t(q, nbytes); assert(q[SST] == (uint8_t)api->api_id); for (i = 1; i < SST; ++i) |