[Python-bugs-list] [Bug #116267] zlib.decompress memory allocation "infinite" loop

noreply@sourceforge.net noreply@sourceforge.net
Fri, 6 Oct 2000 12:07:16 -0700 

Bug #116267, was updated on 2000-Oct-06 11:37
Here is a current snapshot of the bug.

Project: Python
Category: Modules
Status: Open
Resolution: None
Bug Group: None
Priority: 6
Summary: zlib.decompress memory allocation "infinite" loop

Details: Either of the following will cause Python to enter into a loop in which it progressively allocates more and more memory until it eventually generaes an out of memory error (or, under Win9X, the machine becomes unusable):

import zlib

s = zlib.decompress('')
s = zlib.decompress('\010')

There are probably many other strings which, when passed to decompress, will cause Python to enter this loop.  The problem appears to be that the inflate function (in the zlib library) will return Z_BUF_ERROR both for an invalid input buffer and if there is not enough space in the output buffer.  However, zlibmodule.c assumes Z_BUF_ERROR always means the output buffer is too small, so it keeps allocating a larger one.  I reported this error on the python-list mailing list and received a reply with the following patch (which I have updated so that it applies to the zlibmodule.c which comes with Python 2.0b2).  I have not actually applied or tested this patch (that's why I'm not submitting it as a patch), but it looks like it should solve the problem:

*** zlibmodule.c.orig	Wed Aug 02 19:04:04 2000
--- zlibmodule.c	Fri Oct 06 10:58:22 2000
***************
*** 213,219 ****
          {
          case(Z_STREAM_END):
  	    break;
! 	case(Z_BUF_ERROR):
          case(Z_OK):
  	    /* need more memory */
  	    if (_PyString_Resize(&result_str, r_strlen << 1) == -1)
--- 213,232 ----
          {
          case(Z_STREAM_END):
  	    break;
!         case(Z_BUF_ERROR):
! 	    /*
! 	     * If there is at least 1 byte of room in zst.next_out
! 	     * and get this error, I assume that it means zlib cannot
! 	     * process inflate.
! 	     */
! 	    if (0 < zst.avail_out)
! 	    {
! 	      PyErr_Format(ZlibError, "Error %i while decompressing data",
! 	                   err);
! 	      inflateEnd(&zst);
! 	      Py_DECREF(result_str);
! 	      return NULL;
! 	    }
          case(Z_OK):
  	    /* need more memory */
  	    if (_PyString_Resize(&result_str, r_strlen << 1) == -1)


Follow-Ups:

Date: 2000-Oct-06 12:07
By: jhylton

Comment:
Andrew, do you have time to look at this today?  If not, bounce it back to me.

-------------------------------------------------------

For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=116267&group_id=5470