Issue #28275: Clean up to avoid use-after-free after bzip decompress failure

38317d33 · Martin Panter · 34b9d14b · 38317d33 · 38317d33 · 38317d33
Commit 38317d33 authored Oct 01, 2016 by Martin Panter
Showing with 14 additions and 7 deletions

Lib/test/test_bz2.py Lib/test/test_bz2.py +6 -0

Lib/test/test_lzma.py Lib/test/test_lzma.py +3 -5

Misc/NEWS Misc/NEWS +2 -1

Modules/_bz2module.c Modules/_bz2module.c +3 -1

No files found.
--- a/Lib/test/test_bz2.py
+++ b/Lib/test/test_bz2.py
@@ -821,6 +821,12 @@ class BZ2DecompressorTest(BaseTest):
        out.append(bzd.decompress(self.DATA[300:]))
        self.assertEqual(b''.join(out), self.TEXT)

+    def test_failure(self):
+        bzd = BZ2Decompressor()
+        self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+        # Previously, a second call could crash due to internal inconsistency
+        self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+
 class CompressDecompressTest(BaseTest):
    def testCompress(self):
        data = bz2.compress(self.TEXT)

--- a/Lib/test/test_lzma.py
+++ b/Lib/test/test_lzma.py
@@ -249,11 +249,9 @@ class CompressorDecompressorTestCase(unittest.TestCase):
    def test_decompressor_bug_28275(self):
        # Test coverage for Issue 28275
        lzd = LZMADecompressor()
-        for i in range(2):
-            try:
-                lzd.decompress(COMPRESSED_RAW_1)
-            except LZMAError:
-                pass
+        self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
+        # Previously, a second call could crash due to internal inconsistency
+        self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)

    # Test that LZMACompressor->LZMADecompressor preserves the input data.


--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -95,7 +95,8 @@ Library
  that they don't call itermonthdates() which can cause datetime.date
  under/overflow.

- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+- Issue #28275: Fixed possible use after free in the decompress()
+  methods of the LZMADecompressor and BZ2Decompressor classes.
  Original patch by John Leitch.

 - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()

--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -534,8 +534,10 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
    }

    result = decompress_buf(d, max_length);
-    if(result == NULL)
+    if(result == NULL) {
+        bzs->next_in = NULL;
        return NULL;
+    }

    if (d->eof) {
        d->needs_input = 0;