Issue #28275: Clean up to avoid use-after-free after bzip decompress failure

This commit is contained in:
Martin Panter 2016-10-01 02:45:17 +00:00
parent 34b9d14be6
commit 38317d3318
4 changed files with 14 additions and 7 deletions

View File

@ -821,6 +821,12 @@ class BZ2DecompressorTest(BaseTest):
out.append(bzd.decompress(self.DATA[300:]))
self.assertEqual(b''.join(out), self.TEXT)
def test_failure(self):
bzd = BZ2Decompressor()
self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
# Previously, a second call could crash due to internal inconsistency
self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
class CompressDecompressTest(BaseTest):
def testCompress(self):
data = bz2.compress(self.TEXT)

View File

@ -249,11 +249,9 @@ class CompressorDecompressorTestCase(unittest.TestCase):
def test_decompressor_bug_28275(self):
# Test coverage for Issue 28275
lzd = LZMADecompressor()
for i in range(2):
try:
lzd.decompress(COMPRESSED_RAW_1)
except LZMAError:
pass
self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
# Previously, a second call could crash due to internal inconsistency
self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
# Test that LZMACompressor->LZMADecompressor preserves the input data.

View File

@ -95,7 +95,8 @@ Library
that they don't call itermonthdates() which can cause datetime.date
under/overflow.
- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
- Issue #28275: Fixed possible use after free in the decompress()
methods of the LZMADecompressor and BZ2Decompressor classes.
Original patch by John Leitch.
- Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()

View File

@ -534,8 +534,10 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
}
result = decompress_buf(d, max_length);
if(result == NULL)
if(result == NULL) {
bzs->next_in = NULL;
return NULL;
}
if (d->eof) {
d->needs_input = 0;