bpo-31626: Fixed a bug in debug memory allocator. (GH-3844) (#4191)

Removed a code that incorrectly detected in-place resizing in realloc()
 and wrote to freed memory.
(cherry picked from commit b484d5606ca76f9bbd0f5de7a6ef753400213e94)

diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
new file mode 100644 (file)
index 0000000..51026a3
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
@@ -0,0 +1,2 @@
+Fixed a bug in debug memory allocator.  There was a write to freed memory
+after shrinking a memory block.

diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c
index 32e7ecbe1e0436867cca5262abd3e12c8f72f23a..38f267e347fcd3b9fee2271cf65b1dabcf95707b 100644 (file)
--- a/Objects/obmalloc.c
+++ b/Objects/obmalloc.c
@@ -1914,7 +1914,7 @@ static void *
 _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
 {
     debug_alloc_api_t *api = (debug_alloc_api_t *)ctx;
-    uint8_t *q = (uint8_t *)p, *oldq;
+    uint8_t *q = (uint8_t *)p;
     uint8_t *tail;
     size_t total;       /* nbytes + 4*SST */
     size_t original_nbytes;
@@ -1931,20 +1931,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
         /* overflow:  can't represent total as a Py_ssize_t */
         return NULL;
 
-    /* Resize and add decorations. We may get a new pointer here, in which
-     * case we didn't get the chance to mark the old memory with DEADBYTE,
-     * but we live with that.
-     */
-    oldq = q;
+    /* Resize and add decorations. */
     q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total);
     if (q == NULL)
         return NULL;
 
-    if (q == oldq && nbytes < original_nbytes) {
-        /* shrinking:  mark old extra memory dead */
-        memset(q + nbytes, DEADBYTE, original_nbytes - nbytes);
-    }
-
     write_size_t(q, nbytes);
     assert(q[SST] == (uint8_t)api->api_id);
     for (i = 1; i < SST; ++i)