From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Tue, 31 Oct 2017 13:58:33 +0000 (-0700) Subject: bpo-31626: Fixed a bug in debug memory allocator. (GH-3844) (#4191) X-Git-Tag: v3.6.4rc1~120 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ece5659565e083baaee4d185ce181a98aaee7f96;p=python bpo-31626: Fixed a bug in debug memory allocator. (GH-3844) (#4191) Removed a code that incorrectly detected in-place resizing in realloc() and wrote to freed memory. (cherry picked from commit b484d5606ca76f9bbd0f5de7a6ef753400213e94) --- diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst new file mode 100644 index 0000000000..51026a3191 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst @@ -0,0 +1,2 @@ +Fixed a bug in debug memory allocator. There was a write to freed memory +after shrinking a memory block. diff --git a/Objects/obmalloc.c b/Objects/obmalloc.c index 32e7ecbe1e..38f267e347 100644 --- a/Objects/obmalloc.c +++ b/Objects/obmalloc.c @@ -1914,7 +1914,7 @@ static void * _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes) { debug_alloc_api_t *api = (debug_alloc_api_t *)ctx; - uint8_t *q = (uint8_t *)p, *oldq; + uint8_t *q = (uint8_t *)p; uint8_t *tail; size_t total; /* nbytes + 4*SST */ size_t original_nbytes; @@ -1931,20 +1931,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes) /* overflow: can't represent total as a Py_ssize_t */ return NULL; - /* Resize and add decorations. We may get a new pointer here, in which - * case we didn't get the chance to mark the old memory with DEADBYTE, - * but we live with that. - */ - oldq = q; + /* Resize and add decorations. */ q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total); if (q == NULL) return NULL; - if (q == oldq && nbytes < original_nbytes) { - /* shrinking: mark old extra memory dead */ - memset(q + nbytes, DEADBYTE, original_nbytes - nbytes); - } - write_size_t(q, nbytes); assert(q[SST] == (uint8_t)api->api_id); for (i = 1; i < SST; ++i)