[issue31626] Writing in freed memory in _PyMem_DebugRawRealloc() after shrinking a memory block
Serhiy Storchaka
report at bugs.python.org
Thu Oct 26 10:35:15 EDT 2017
Serhiy Storchaka <storchaka+cpython at gmail.com> added the comment:
The current code OBVIOUSLY is wrong. Bytes are erased if q == oldq && nbytes < original_nbytes. But q == oldq only if realloc() returns the new address 2*sizeof(size_t) bytes larger than its argument. This is virtually never happen on other platforms because _PyMem_DebugRawRealloc() usually used with blocks larger than 2*sizeof(size_t) bytes and the system realloc() don't shrink the block at left (this is implementation detail). Thus this code is virtually dead on other platforms. It doesn't detect shrinking memory block in-place.
After fixing *this* bug, we have encountered with *other* bug, related to overwriting the freed memory.
I don't see reasons of keeping an obviously wrong code. When fix the first bug we will need to fix the other bug.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue31626>
_______________________________________
More information about the Python-bugs-list
mailing list