Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-04-20 02:40:59 +00:00
Code Issues Projects Releases Packages Wiki Activity

gh-148395: Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor (GH-148396)

Browse source 
Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress
This commit is contained in:
Stan Ulbrych 2026-04-13 02:14:54 +01:00 committed by GitHub
parent 480edc1aae
commit 8fc66aef6d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst Normal file
View file

@ -0,0 +1,5 @@
Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
when memory allocation fails with :exc:`MemoryError`, which could let a
subsequent :meth:`!decompress` call read or write through a stale pointer to
the already-released caller buffer.

1
Modules/_bz2module.c
View file

@ -571,6 +571,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
return result;
error:
bzs->next_in = NULL;
Py_XDECREF(result);
return NULL;
}

1
Modules/_lzmamodule.c
View file

@ -1100,6 +1100,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
return result;
error:
lzs->next_in = NULL;
Py_XDECREF(result);
return NULL;
}

1
Modules/zlibmodule.c
View file

@ -1669,6 +1669,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
return result;
error:
self->zst.next_in = NULL;
Py_XDECREF(result);
return NULL;
}