bpo-25862: Fix several bugs in the _io module. (GH-8026)

They can be exposed when some C API calls fail due to lack of memory. * Failed Py_BuildValue() could cause an assertion error in the following TextIOWrapper.tell(). * input_chunk could be decrefed twice in TextIOWrapper.seek() after failed Py_BuildValue(). * initvalue could leak in StringIO.__getstate__() after failed PyDict_Copy().

bpo-25862: Fix several bugs in the _io module. (GH-8026)
They can be exposed when some C API calls fail due to lack of memory. * Failed Py_BuildValue() could cause an assertion error in the following TextIOWrapper.tell(). * input_chunk could be decrefed twice in TextIOWrapper.seek() after failed Py_BuildValue(). * initvalue could leak in StringIO.__getstate__() after failed PyDict_Copy().
fdb5a50e · Serhiy Storchaka · GitHub · 0cdf5f42 · fdb5a50e · fdb5a50e
Commit fdb5a50e authored Jun 30, 2018 by Serhiy Storchaka Committed by GitHub Jun 30, 2018
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 8 deletions

Modules/_io/stringio.c Modules/_io/stringio.c +3 -1

Modules/_io/textio.c Modules/_io/textio.c +14 -7

No files found.
--- a/Modules/_io/stringio.c
+++ b/Modules/_io/stringio.c
@@ -826,9 +826,11 @@ stringio_getstate(stringio *self, PyObject *Py_UNUSED(ignored))
    }
    else {
        dict = PyDict_Copy(self->dict);
-        if (dict == NULL)
+        if (dict == NULL) {
+            Py_DECREF(initvalue);
            return NULL;
        }
+    }
    state = Py_BuildValue("(OOnN)", initvalue,
                          self->readnl ? self->readnl : Py_None,

--- a/Modules/_io/textio.c
+++ b/Modules/_io/textio.c
@@ -1773,11 +1773,16 @@ textiowrapper_read_chunk(textio *self, Py_ssize_t size_hint)
         */
        PyObject *next_input = dec_buffer;
        PyBytes_Concat(&next_input, input_chunk);
-        if (next_input == NULL) {
        dec_buffer = NULL; /* Reference lost to PyBytes_Concat */
+        if (next_input == NULL) {
+            goto fail;
+        }
+        PyObject *snapshot = Py_BuildValue("NN", dec_flags, next_input);
+        if (snapshot == NULL) {
+            dec_flags = NULL;
            goto fail;
        }
-        Py_XSETREF(self->snapshot, Py_BuildValue("NN", dec_flags, next_input));
+        Py_XSETREF(self->snapshot, snapshot);
    }
    Py_DECREF(input_chunk);
@@ -2326,6 +2331,7 @@ _io_TextIOWrapper_seek_impl(textio *self, PyObject *cookieObj, int whence)
    cookie_type cookie;
    PyObject *res;
    int cmp;
+    PyObject *snapshot;
    CHECK_ATTACHED(self);
    CHECK_CLOSED(self);
@@ -2460,11 +2466,11 @@ _io_TextIOWrapper_seek_impl(textio *self, PyObject *cookieObj, int whence)
            goto fail;
        }
-        self->snapshot = Py_BuildValue("iN", cookie.dec_flags, input_chunk);
+        snapshot = Py_BuildValue("iN", cookie.dec_flags, input_chunk);
-        if (self->snapshot == NULL) {
+        if (snapshot == NULL) {
-            Py_DECREF(input_chunk);
            goto fail;
        }
+        Py_XSETREF(self->snapshot, snapshot);
        decoded = _PyObject_CallMethodId(self->decoder, &PyId_decode,
            "Oi", input_chunk, (int)cookie.need_eof);
@@ -2482,9 +2488,10 @@ _io_TextIOWrapper_seek_impl(textio *self, PyObject *cookieObj, int whence)
        self->decoded_chars_used = cookie.chars_to_skip;
    }
    else {
-        self->snapshot = Py_BuildValue("iy", cookie.dec_flags, "");
+        snapshot = Py_BuildValue("iy", cookie.dec_flags, "");
-        if (self->snapshot == NULL)
+        if (snapshot == NULL)
            goto fail;
+        Py_XSETREF(self->snapshot, snapshot);
    }
    /* Finally, reset the encoder (merely useful for proper BOM handling) */