[Python-checkins] cpython (2.7): Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access

[nadeem.vawda]

http://hg.python.org/cpython/rev/c3828831861c
changeset:   80353:c3828831861c
branch:      2.7
parent:      80349:94256d7804b8
user:        Nadeem Vawda <nadeem.vawda at gmail.com>
date:        Sun Nov 11 03:14:56 2012 +0100
summary:
  Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.

Patch by Serhiy Storchaka.

files:
  Lib/test/test_zlib.py |  12 ++++++++++++
  Misc/NEWS             |   3 +++
  Modules/zlibmodule.c  |   2 ++
  3 files changed, 17 insertions(+), 0 deletions(-)


diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
@@ -396,6 +396,18 @@
         y += dco.flush()
         self.assertEqual(y, 'foo')
 
+    def test_flush_with_freed_input(self):
+        # Issue #16411: decompressor accesses input to last decompress() call
+        # in flush(), even if this object has been freed in the meanwhile.
+        input1 = 'abcdefghijklmnopqrstuvwxyz'
+        input2 = 'QWERTYUIOPASDFGHJKLZXCVBNM'
+        data = zlib.compress(input1)
+        dco = zlib.decompressobj()
+        dco.decompress(data, 1)
+        del data
+        data = zlib.compress(input2)
+        self.assertEqual(dco.flush(), input1[1:])
+
     if hasattr(zlib.compressobj(), "copy"):
         def test_compresscopy(self):
             # Test copying a compression object
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -140,6 +140,9 @@
 Library
 -------
 
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+  previously-freed memory. Patch by Serhiy Storchaka.
+
 - Issue #16350: zlib.decompressobj().decompress() now accumulates data from
   successive calls after EOF in unused_data, instead of only saving the argument
   to the last call. decompressobj().flush() now correctly sets unused_data and
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -830,6 +830,8 @@
     ENTER_ZLIB
 
     start_total_out = self->zst.total_out;
+    self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+    self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
     self->zst.avail_out = length;
     self->zst.next_out = (Byte *)PyString_AS_STRING(retval);
 

-- 
Repository URL: http://hg.python.org/cpython