From 51e3e450fbed46198d9be92add1a5dee6a1f7f41 Mon Sep 17 00:00:00 2001 From: Alexander Riccio Date: Mon, 30 Mar 2020 17:15:59 -0400 Subject: [PATCH] bpo-40020: Fix realloc leak on failure in growable_comment_array_add (GH-19083) Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath. Realloc returns a null pointer on failure, and then growable_comment_array_deallocate crashes later when it dereferences it. --- .../2020-03-19-21-53-41.bpo-40020.n-26G7.rst | 1 + Parser/parsetok.c | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst new file mode 100644 index 00000000000..948404baba2 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst @@ -0,0 +1 @@ +Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath. diff --git a/Parser/parsetok.c b/Parser/parsetok.c index 554455dbc2b..cb9472150f2 100644 --- a/Parser/parsetok.c +++ b/Parser/parsetok.c @@ -37,11 +37,13 @@ growable_comment_array_init(growable_comment_array *arr, size_t initial_size) { static int growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) { if (arr->num_items >= arr->size) { - arr->size *= 2; - arr->items = realloc(arr->items, arr->size * sizeof(*arr->items)); - if (!arr->items) { + size_t new_size = arr->size * 2; + void *new_items_array = realloc(arr->items, new_size * sizeof(*arr->items)); + if (!new_items_array) { return 0; } + arr->items = new_items_array; + arr->size = new_size; } arr->items[arr->num_items].lineno = lineno;