bpo-34824: Fix a possible NULL pointer dereference in _ssl.c (GH-9606)

On failure, _PyBytes_Resize() will deallocate the bytes object and set "result" to NULL. https://bugs.python.org/issue34824

bpo-34824: Fix a possible NULL pointer dereference in _ssl.c (GH-9606)
On failure, _PyBytes_Resize() will deallocate the bytes object and set "result" to NULL. https://bugs.python.org/issue34824
365ad2ea · Zackery Spytz · Miss Islington (bot) · 683281f5 · 365ad2ea · 365ad2ea
Commit 365ad2ea authored Oct 06, 2018 by Zackery Spytz Committed by Miss Islington (bot) Oct 06, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst ...ore and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst +2 -0

Modules/_ssl.c Modules/_ssl.c +7 -2

No files found.
--- a/Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-09-27-11-10-02.bpo-34824.VLlCaU.rst
+Fix a possible null pointer dereference in Modules/_ssl.c. Patch by Zackery
+Spytz.
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4710,12 +4710,17 @@ _ssl_MemoryBIO_read_impl(PySSLMemoryBIO *self, int len)
        return result;

    nbytes = BIO_read(self->bio, PyBytes_AS_STRING(result), len);
-    /* There should never be any short reads but check anyway. */
-    if ((nbytes < len) && (_PyBytes_Resize(&result, len) < 0)) {
+    if (nbytes < 0) {
        Py_DECREF(result);
+        _setSSLError(NULL, 0, __FILE__, __LINE__);
        return NULL;
    }

+    /* There should never be any short reads but check anyway. */
+    if (nbytes < len) {
+        _PyBytes_Resize(&result, nbytes);
+    }
+
    return result;
 }