[Python-checkins] cpython (merge 3.3 -> default): Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access

nadeem.vawda python-checkins at python.org
Sun Nov 11 03:20:29 CET 2012

• Previous message: [Python-checkins] cpython (merge 3.2 -> 3.3): Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
• Next message: [Python-checkins] cpython (2.7): Fix typo in backporting fix of issue #16411 to 2.7.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

http://hg.python.org/cpython/rev/d63c751e9f01
changeset: 80356:d63c751e9f01
parent: 80352:4440e45c10f9
parent: 80355:a7934fe2927e
user: Nadeem Vawda <nadeem.vawda at gmail.com>
date: Sun Nov 11 03:19:49 2012 +0100
summary:
 Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
Patch by Serhiy Storchaka.
files:
 Lib/test/test_zlib.py | 12 ++++++++++++
 Misc/NEWS | 3 +++
 Modules/zlibmodule.c | 2 ++
 3 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
@@ -513,6 +513,18 @@
 self.assertEqual(dco.unconsumed_tail, b'')
 self.assertEqual(dco.unused_data, remainder)
 
+ def test_flush_with_freed_input(self):
+ # Issue #16411: decompressor accesses input to last decompress() call
+ # in flush(), even if this object has been freed in the meanwhile.
+ input1 = b'abcdefghijklmnopqrstuvwxyz'
+ input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM'
+ data = zlib.compress(input1)
+ dco = zlib.decompressobj()
+ dco.decompress(data, 1)
+ del data
+ data = zlib.compress(input2)
+ self.assertEqual(dco.flush(), input1[1:])
+
 if hasattr(zlib.compressobj(), "copy"):
 def test_compresscopy(self):
 # Test copying a compression object
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -113,6 +113,9 @@
 Library
 -------
 
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+ previously-freed memory. Patch by Serhiy Storchaka.
+
 - Issue #16357: fix calling accept() on a SSLSocket created through
 SSLContext.wrap_socket(). Original patch by Jeff McNeil.
 
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -975,6 +975,8 @@
 ENTER_ZLIB(self);
 
 start_total_out = self->zst.total_out;
+ self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+ self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
 self->zst.avail_out = length;
 self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval);
 
-- 
Repository URL: http://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython (merge 3.2 -> 3.3): Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
• Next message: [Python-checkins] cpython (2.7): Fix typo in backporting fix of issue #16411 to 2.7.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list