changeset:   104210:dca18f0ec280
branch:      3.6
parent:      104207:929e3adefe7a
parent:      104209:36d37ff6c236
user:        Martin Panter <vadmium+py@gmail.com>
date:        Sat Oct 01 03:11:04 2016 +0000
files:       Lib/test/test_bz2.py Lib/test/test_lzma.py Misc/NEWS Modules/_bz2module.c
description:
Issue #28275: Merge bz2 fix from 3.5 into 3.6


diff -r 929e3adefe7a -r dca18f0ec280 Lib/test/test_bz2.py
--- a/Lib/test/test_bz2.py	Sat Oct 01 05:01:54 2016 +0300
+++ b/Lib/test/test_bz2.py	Sat Oct 01 03:11:04 2016 +0000
@@ -821,6 +821,12 @@
         out.append(bzd.decompress(self.DATA[300:]))
         self.assertEqual(b''.join(out), self.TEXT)
 
+    def test_failure(self):
+        bzd = BZ2Decompressor()
+        self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+        # Previously, a second call could crash due to internal inconsistency
+        self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+
 class CompressDecompressTest(BaseTest):
     def testCompress(self):
         data = bz2.compress(self.TEXT)
diff -r 929e3adefe7a -r dca18f0ec280 Lib/test/test_lzma.py
--- a/Lib/test/test_lzma.py	Sat Oct 01 05:01:54 2016 +0300
+++ b/Lib/test/test_lzma.py	Sat Oct 01 03:11:04 2016 +0000
@@ -249,11 +249,9 @@
     def test_decompressor_bug_28275(self):
         # Test coverage for Issue 28275
         lzd = LZMADecompressor()
-        for i in range(2):
-            try:
-                lzd.decompress(COMPRESSED_RAW_1)
-            except LZMAError:
-                pass
+        self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
+        # Previously, a second call could crash due to internal inconsistency
+        self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_RAW_1)
 
     # Test that LZMACompressor->LZMADecompressor preserves the input data.
 
diff -r 929e3adefe7a -r dca18f0ec280 Misc/NEWS
--- a/Misc/NEWS	Sat Oct 01 05:01:54 2016 +0300
+++ b/Misc/NEWS	Sat Oct 01 03:11:04 2016 +0000
@@ -67,7 +67,8 @@
   that they don't call itermonthdates() which can cause datetime.date
   under/overflow.
 
-- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+- Issue #28275: Fixed possible use after free in the decompress()
+  methods of the LZMADecompressor and BZ2Decompressor classes.
   Original patch by John Leitch.
 
 - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
diff -r 929e3adefe7a -r dca18f0ec280 Modules/_bz2module.c
--- a/Modules/_bz2module.c	Sat Oct 01 05:01:54 2016 +0300
+++ b/Modules/_bz2module.c	Sat Oct 01 03:11:04 2016 +0000
@@ -534,8 +534,10 @@
     }
 
     result = decompress_buf(d, max_length);
-    if(result == NULL)
+    if(result == NULL) {
+        bzs->next_in = NULL;
         return NULL;
+    }
 
     if (d->eof) {
         d->needs_input = 0;