From: Victor Stinner Date: Sat, 18 Apr 2026 09:56:56 +0000 (+0200) Subject: gh-148688: Fix _BlocksOutputBuffer_Finish() double free (#148689) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d61fcf834d197f0113a6a507fdbecc1545d9d483;p=thirdparty%2FPython%2Fcpython.git gh-148688: Fix _BlocksOutputBuffer_Finish() double free (#148689) If _BlocksOutputBuffer_Finish() fails (memory allocation failure), PyBytesWriter_Discard() is called on the writer. Then if _BlocksOutputBuffer_OnError() is called, it calls again PyBytesWriter_Discard() causing a double free. Fix _BlocksOutputBuffer_Finish() by setting buffer->writer to NULL, so _BlocksOutputBuffer_OnError() does nothing instead of calling PyBytesWriter_Discard() again. --- diff --git a/Include/internal/pycore_blocks_output_buffer.h b/Include/internal/pycore_blocks_output_buffer.h index 016e7a186658..322c1e93344b 100644 --- a/Include/internal/pycore_blocks_output_buffer.h +++ b/Include/internal/pycore_blocks_output_buffer.h @@ -242,9 +242,12 @@ static inline PyObject * _BlocksOutputBuffer_Finish(_BlocksOutputBuffer *buffer, const Py_ssize_t avail_out) { + PyObject *obj; assert(buffer->writer != NULL); - return PyBytesWriter_FinishWithSize(buffer->writer, - buffer->allocated - avail_out); + obj = PyBytesWriter_FinishWithSize(buffer->writer, + buffer->allocated - avail_out); + buffer->writer = NULL; + return obj; } /* Clean up the buffer when an error occurred. */ diff --git a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst new file mode 100644 index 000000000000..1e367716e5a0 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst @@ -0,0 +1,2 @@ +:mod:`bz2`, :mod:`compression.zstd`, :mod:`lzma`, :mod:`zlib`: Fix a double +free on memory allocation failure. Patch by Victor Stinner.