diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py index f5180e0bdca..2f6f84042f1 100644 --- a/Lib/test/test_zlib.py +++ b/Lib/test/test_zlib.py @@ -513,6 +513,18 @@ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase): self.assertEqual(dco.unconsumed_tail, b'') self.assertEqual(dco.unused_data, remainder) + def test_flush_with_freed_input(self): + # Issue #16411: decompressor accesses input to last decompress() call + # in flush(), even if this object has been freed in the meanwhile. + input1 = b'abcdefghijklmnopqrstuvwxyz' + input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM' + data = zlib.compress(input1) + dco = zlib.decompressobj() + dco.decompress(data, 1) + del data + data = zlib.compress(input2) + self.assertEqual(dco.flush(), input1[1:]) + if hasattr(zlib.compressobj(), "copy"): def test_compresscopy(self): # Test copying a compression object diff --git a/Misc/NEWS b/Misc/NEWS index 2c80158b143..6d14ecf6012 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -113,6 +113,9 @@ Core and Builtins Library ------- +- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access + previously-freed memory. Patch by Serhiy Storchaka. + - Issue #16357: fix calling accept() on a SSLSocket created through SSLContext.wrap_socket(). Original patch by Jeff McNeil. diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c index 9e1c2aef75e..213859ffb87 100644 --- a/Modules/zlibmodule.c +++ b/Modules/zlibmodule.c @@ -975,6 +975,8 @@ PyZlib_unflush(compobject *self, PyObject *args) ENTER_ZLIB(self); start_total_out = self->zst.total_out; + self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail); + self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail); self->zst.avail_out = length; self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval);