[Python-checkins] cpython (3.5): Issue #28275: Clean up to avoid use-after-free after bzip decompress failure
martin.panter
python-checkins at python.org
Fri Sep 30 23:30:50 EDT 2016
https://hg.python.org/cpython/rev/36d37ff6c236
changeset: 104209:36d37ff6c236
branch: 3.5
parent: 104204:f7688db81753
user: Martin Panter <vadmium+py at gmail.com>
date: Sat Oct 01 02:45:17 2016 +0000
summary:
Issue #28275: Clean up to avoid use-after-free after bzip decompress failure
files:
Lib/test/test_bz2.py | 6 ++++++
Lib/test/test_lzma.py | 8 +++-----
Misc/NEWS | 3 ++-
Modules/_bz2module.c | 4 +++-
4 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/Lib/test/test_bz2.py b/Lib/test/test_bz2.py
--- a/Lib/test/test_bz2.py
+++ b/Lib/test/test_bz2.py
@@ -821,6 +821,12 @@
out.append(bzd.decompress(self.DATA[300:]))
self.assertEqual(b''.join(out), self.TEXT)
+ def test_failure(self):
+ bzd = BZ2Decompressor()
+ self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+ # Previously, a second call could crash due to internal inconsistency
+ self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+
class CompressDecompressTest(BaseTest):
def testCompress(self):
data = bz2.compress(self.TEXT)
diff --git a/Lib/test/test_lzma.py b/Lib/test/test_lzma.py
--- a/Lib/test/test_lzma.py
+++ b/Lib/test/test_lzma.py
@@ -249,11 +249,9 @@
def test_decompressor_bug_28275(self):
# Test coverage for Issue 28275
lzd = LZMADecompressor()
- for i in range(2):
- try:
- lzd.decompress(COMPRESSED_RAW_1)
- except LZMAError:
- pass
+ self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
+ # Previously, a second call could crash due to internal inconsistency
+ self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
# Test that LZMACompressor->LZMADecompressor preserves the input data.
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -95,7 +95,8 @@
that they don't call itermonthdates() which can cause datetime.date
under/overflow.
-- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+- Issue #28275: Fixed possible use after free in the decompress()
+ methods of the LZMADecompressor and BZ2Decompressor classes.
Original patch by John Leitch.
- Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -534,8 +534,10 @@
}
result = decompress_buf(d, max_length);
- if(result == NULL)
+ if(result == NULL) {
+ bzs->next_in = NULL;
return NULL;
+ }
if (d->eof) {
d->needs_input = 0;
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list