changeset:   104101:52f8eb2fa6a6
branch:      3.6
parent:      104095:4b7e51998a90
parent:      104100:b4c0e733b342
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Tue Sep 27 20:23:41 2016 +0300
files:       Lib/test/test_lzma.py Misc/NEWS Modules/_lzmamodule.c
description:
Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
Original patch by John Leitch.


diff -r 4b7e51998a90 -r 52f8eb2fa6a6 Lib/test/test_lzma.py
--- a/Lib/test/test_lzma.py	Tue Sep 27 05:26:12 2016 +0000
+++ b/Lib/test/test_lzma.py	Tue Sep 27 20:23:41 2016 +0300
@@ -246,6 +246,15 @@
         lzd = LZMADecompressor(lzma.FORMAT_RAW, filters=FILTERS_RAW_1)
         self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_XZ)
 
+    def test_decompressor_bug_28275(self):
+        # Test coverage for Issue 28275
+        lzd = LZMADecompressor()
+        for i in range(2):
+            try:
+                lzd.decompress(COMPRESSED_RAW_1)
+            except LZMAError:
+                pass
+
     # Test that LZMACompressor->LZMADecompressor preserves the input data.
 
     def test_roundtrip_xz(self):
diff -r 4b7e51998a90 -r 52f8eb2fa6a6 Misc/NEWS
--- a/Misc/NEWS	Tue Sep 27 05:26:12 2016 +0000
+++ b/Misc/NEWS	Tue Sep 27 20:23:41 2016 +0300
@@ -41,6 +41,9 @@
 Library
 -------
 
+- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+  Original patch by John Leitch.
+
 - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
   if pass invalid string-like object as a name.  Patch by Xiang Zhang.
 
diff -r 4b7e51998a90 -r 52f8eb2fa6a6 Modules/_lzmamodule.c
--- a/Modules/_lzmamodule.c	Tue Sep 27 05:26:12 2016 +0000
+++ b/Modules/_lzmamodule.c	Tue Sep 27 20:23:41 2016 +0300
@@ -995,8 +995,10 @@
     }
 
     result = decompress_buf(d, max_length);
-    if(result == NULL)
+    if (result == NULL) {
+        lzs->next_in = NULL;
         return NULL;
+    }
 
     if (d->eof) {
         d->needs_input = 0;