summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst2
-rw-r--r--Objects/obmalloc.c13
2 files changed, 4 insertions, 11 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
new file mode 100644
index 0000000..51026a3
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
@@ -0,0 +1,2 @@
+Fixed a bug in debug memory allocator. There was a write to freed memory
+after shrinking a memory block.
diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c
index f2651d7..1485172 100644
--- a/Objects/obmalloc.c
+++ b/Objects/obmalloc.c
@@ -1460,7 +1460,7 @@ static void *
_PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
{
debug_alloc_api_t *api = (debug_alloc_api_t *)ctx;
- uint8_t *q = (uint8_t *)p, *oldq;
+ uint8_t *q = (uint8_t *)p;
uint8_t *tail;
size_t total; /* nbytes + 4*SST */
size_t original_nbytes;
@@ -1477,20 +1477,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
/* overflow: can't represent total as a Py_ssize_t */
return NULL;
- /* Resize and add decorations. We may get a new pointer here, in which
- * case we didn't get the chance to mark the old memory with DEADBYTE,
- * but we live with that.
- */
- oldq = q;
+ /* Resize and add decorations. */
q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total);
if (q == NULL)
return NULL;
- if (q == oldq && nbytes < original_nbytes) {
- /* shrinking: mark old extra memory dead */
- memset(q + nbytes, DEADBYTE, original_nbytes - nbytes);
- }
-
write_size_t(q, nbytes);
assert(q[SST] == (uint8_t)api->api_id);
for (i = 1; i < SST; ++i)