[Python-checkins] bpo-31626: Fixed a bug in debug memory allocator. (GH-3844) (#4191)
Serhiy Storchaka
webhook-mailer at python.org
Tue Oct 31 09:58:38 EDT 2017
https://github.com/python/cpython/commit/ece5659565e083baaee4d185ce181a98aaee7f96
commit: ece5659565e083baaee4d185ce181a98aaee7f96
branch: 3.6
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: Serhiy Storchaka <storchaka at gmail.com>
date: 2017-10-31T15:58:33+02:00
summary:
bpo-31626: Fixed a bug in debug memory allocator. (GH-3844) (#4191)
Removed a code that incorrectly detected in-place resizing in realloc()
and wrote to freed memory.
(cherry picked from commit b484d5606ca76f9bbd0f5de7a6ef753400213e94)
files:
A Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
M Objects/obmalloc.c
diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
new file mode 100644
index 00000000000..51026a31914
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
@@ -0,0 +1,2 @@
+Fixed a bug in debug memory allocator. There was a write to freed memory
+after shrinking a memory block.
diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c
index 32e7ecbe1e0..38f267e347f 100644
--- a/Objects/obmalloc.c
+++ b/Objects/obmalloc.c
@@ -1914,7 +1914,7 @@ static void *
_PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
{
debug_alloc_api_t *api = (debug_alloc_api_t *)ctx;
- uint8_t *q = (uint8_t *)p, *oldq;
+ uint8_t *q = (uint8_t *)p;
uint8_t *tail;
size_t total; /* nbytes + 4*SST */
size_t original_nbytes;
@@ -1931,20 +1931,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
/* overflow: can't represent total as a Py_ssize_t */
return NULL;
- /* Resize and add decorations. We may get a new pointer here, in which
- * case we didn't get the chance to mark the old memory with DEADBYTE,
- * but we live with that.
- */
- oldq = q;
+ /* Resize and add decorations. */
q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total);
if (q == NULL)
return NULL;
- if (q == oldq && nbytes < original_nbytes) {
- /* shrinking: mark old extra memory dead */
- memset(q + nbytes, DEADBYTE, original_nbytes - nbytes);
- }
-
write_size_t(q, nbytes);
assert(q[SST] == (uint8_t)api->api_id);
for (i = 1; i < SST; ++i)
More information about the Python-checkins
mailing list