bpo-31626: Fixed a bug in debug memory allocator. (GH-3844) (#4191)

Removed a code that incorrectly detected in-place resizing in realloc()
 and wrote to freed memory.
(cherry picked from commit b484d56)

Author: miss-islington

Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst

@@ -0,0 +1,2 @@
+Fixed a bug in debug memory allocator.  There was a write to freed memory
+after shrinking a memory block.

Objects/obmalloc.c

@@ -1914,7 +1914,7 @@ static void *
 _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
 {
     debug_alloc_api_t *api = (debug_alloc_api_t *)ctx;
-    uint8_t *q = (uint8_t *)p, *oldq;
+    uint8_t *q = (uint8_t *)p;
     uint8_t *tail;
     size_t total;       /* nbytes + 4*SST */
     size_t original_nbytes;
@@ -1931,20 +1931,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
         /* overflow:  can't represent total as a Py_ssize_t */
         return NULL;
 
-    /* Resize and add decorations. We may get a new pointer here, in which
-     * case we didn't get the chance to mark the old memory with DEADBYTE,
-     * but we live with that.
-     */
-    oldq = q;
+    /* Resize and add decorations. */
     q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total);
     if (q == NULL)
         return NULL;
 
-    if (q == oldq && nbytes < original_nbytes) {
-        /* shrinking:  mark old extra memory dead */
-        memset(q + nbytes, DEADBYTE, original_nbytes - nbytes);
-    }
-
     write_size_t(q, nbytes);
     assert(q[SST] == (uint8_t)api->api_id);
     for (i = 1; i < SST; ++i)