Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().

Original patch by John Leitch.

diff --git a/Lib/test/test_lzma.py b/Lib/test/test_lzma.py
index 6c698e2f0e1163bd61a2511ab2c315b06d44550d..afd276725bf4ae5081df84b4e669a62d465de448 100644 (file)
--- a/Lib/test/test_lzma.py
+++ b/Lib/test/test_lzma.py
@@ -246,6 +246,15 @@ class CompressorDecompressorTestCase(unittest.TestCase):
         lzd = LZMADecompressor(lzma.FORMAT_RAW, filters=FILTERS_RAW_1)
         self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_XZ)
 
+    def test_decompressor_bug_28275(self):
+        # Test coverage for Issue 28275
+        lzd = LZMADecompressor()
+        for i in range(2):
+            try:
+                lzd.decompress(COMPRESSED_RAW_1)
+            except LZMAError:
+                pass
+
     # Test that LZMACompressor->LZMADecompressor preserves the input data.
 
     def test_roundtrip_xz(self):

diff --git a/Misc/NEWS b/Misc/NEWS
index ddaf9475d26ab4d71d43fbd748c1dc3236545958..661402f8407ca0feb3f73602d194b770cd7f1e61 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -80,6 +80,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+  Original patch by John Leitch.
+
 - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
   if pass invalid string-like object as a name.  Patch by Xiang Zhang.
 

diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
index bc01ffe7acc0219cd480a4f93c3c5728726efcfa..74c301d47ad4f4eeaee7463c1d25b652ac0b2ce5 100644 (file)
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@@ -1005,8 +1005,10 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     }
 
     result = decompress_buf(d, max_length);
-    if(result == NULL)
+    if (result == NULL) {
+        lzs->next_in = NULL;
         return NULL;
+    }
 
     if (d->eof) {
         d->needs_input = 0;