homepage

When calling zlib.Decompress.decompress() with a max_length argument,
if the input data is not full consumed, the next_in pointer in the
z_stream struct are left pointing into the data object, but the
decompressor does not hold a reference to this object. This same
pointer is reused (perhaps unintentionally) if flush() is called
without calling decompress() again.
If the data object gets deallocated between the calls to decompress()
and to flush(), zlib will then try to access this deallocated memory,
and most likely return bogus output (or segfault). See the attached
script for a demonstration.
I see two potential solutions:
 1. Set avail_in to zero in flush(), so that it does not try to use
 leftover data (or whatever is else where that data used to be).
 2. Have decompress() check if there is leftover data, and if so,
 save a reference to the object until a) we consume the rest of
 the data in flush(), or b) discard it in a subsequent call to
 decompress().
Solution 2 would be less disruptive to code that depends on the existing
behavior (in non-pathological cases), but I'm don't like the maintenance
burden of adding yet another thing to keep track of to the decompressor
state. The PyZlib_objdecompress function is complex enough as it is, and
we can expect more bugs like this to creep in the more we cram additional
logic into it. So I'm more in favor of solution 1.
Any thoughts?

The decompressor does not hold a reference to the data object, but it holds a reference to the data. It's the unconsumed_tail attribute.
The patch is simple.

New changeset c3828831861c by Nadeem Vawda in branch '2.7':
Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
http://hg.python.org/cpython/rev/c3828831861c
New changeset a1db815d0829 by Nadeem Vawda in branch '3.2':
Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
http://hg.python.org/cpython/rev/a1db815d0829
New changeset a7934fe2927e by Nadeem Vawda in branch '3.3':
Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
http://hg.python.org/cpython/rev/a7934fe2927e
New changeset d63c751e9f01 by Nadeem Vawda in branch 'default':
Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
http://hg.python.org/cpython/rev/d63c751e9f01 

New changeset be40a10d553a by Nadeem Vawda in branch '2.7':
Fix typo in backporting fix of issue #16411 to 2.7.
http://hg.python.org/cpython/rev/be40a10d553a 

Ah, that's much nicer than either of my ideas. Patch committed. Thanks!