From b484d5606ca76f9bbd0f5de7a6ef753400213e94 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Tue, 31 Oct 2017 14:05:03 +0200 Subject: bpo-31626: Fixed a bug in debug memory allocator. (#3844) Removed a code that incorrectly detected in-place resizing in realloc() and wrote to freed memory. --- .../2017-10-01-15-48-03.bpo-31626.reLPxY.rst | 2 ++ Objects/obmalloc.c | 13 ++----------- 2 files changed, 4 insertions(+), 11 deletions(-) create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst new file mode 100644 index 0000000..51026a3 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst @@ -0,0 +1,2 @@ +Fixed a bug in debug memory allocator. There was a write to freed memory +after shrinking a memory block. diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c index f2651d7..1485172 100644 --- a/Objects/obmalloc.c +++ b/Objects/obmalloc.c @@ -1460,7 +1460,7 @@ static void * _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes) { debug_alloc_api_t *api = (debug_alloc_api_t *)ctx; - uint8_t *q = (uint8_t *)p, *oldq; + uint8_t *q = (uint8_t *)p; uint8_t *tail; size_t total; /* nbytes + 4*SST */ size_t original_nbytes; @@ -1477,20 +1477,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes) /* overflow: can't represent total as a Py_ssize_t */ return NULL; - /* Resize and add decorations. We may get a new pointer here, in which - * case we didn't get the chance to mark the old memory with DEADBYTE, - * but we live with that. - */ - oldq = q; + /* Resize and add decorations. */ q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total); if (q == NULL) return NULL; - if (q == oldq && nbytes < original_nbytes) { - /* shrinking: mark old extra memory dead */ - memset(q + nbytes, DEADBYTE, original_nbytes - nbytes); - } - write_size_t(q, nbytes); assert(q[SST] == (uint8_t)api->api_id); for (i = 1; i < SST; ++i) -- cgit v0.12