bpo-40020: Fix realloc leak on failure in growable_comment_array_add (GH-19083)

Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath.

Realloc returns a null pointer on failure, and then growable_comment_array_deallocate crashes later when it dereferences it.

diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst
new file mode 100644 (file)
index 0000000..948404b
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst
@@ -0,0 +1 @@
+Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath.

diff --git a/Parser/parsetok.c b/Parser/parsetok.c
index 554455dbc2badf29e59928ae439222735a998b63..cb9472150f2ca8656074b8240d4b0912c7759053 100644 (file)
--- a/Parser/parsetok.c
+++ b/Parser/parsetok.c
@@ -37,11 +37,13 @@ growable_comment_array_init(growable_comment_array *arr, size_t initial_size) {
 static int
 growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) {
     if (arr->num_items >= arr->size) {
-        arr->size *= 2;
-        arr->items = realloc(arr->items, arr->size * sizeof(*arr->items));
-        if (!arr->items) {
+        size_t new_size = arr->size * 2;
+        void *new_items_array = realloc(arr->items, new_size * sizeof(*arr->items));
+        if (!new_items_array) {
             return 0;
         }
+        arr->items = new_items_array;
+        arr->size = new_size;
     }
 
     arr->items[arr->num_items].lineno = lineno;