Skip to content

Commit 8637c67

Browse files
vstinnervstinner
committed
gh-148688: Fix _BlocksOutputBuffer_Finish() double free
If _BlocksOutputBuffer_Finish() fails (memory allocation failure), PyBytesWriter_Discard() is called on the writer. Then if _BlocksOutputBuffer_OnError() is called, it calls again PyBytesWriter_Discard() causing a double free. Fix _BlocksOutputBuffer_Finish() by setting buffer->writer to NULL, so _BlocksOutputBuffer_OnError() does nothing instead of calling PyBytesWriter_Discard() again.
1 parent afde756 commit 8637c67

2 files changed

Lines changed: 7 additions & 2 deletions

File tree

Include/internal/pycore_blocks_output_buffer.h

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -242,9 +242,12 @@ static inline PyObject *
242242
_BlocksOutputBuffer_Finish(_BlocksOutputBuffer *buffer,
243243
const Py_ssize_t avail_out)
244244
{
245+
PyObject *obj;
245246
assert(buffer->writer != NULL);
246-
return PyBytesWriter_FinishWithSize(buffer->writer,
247-
buffer->allocated - avail_out);
247+
obj = PyBytesWriter_FinishWithSize(buffer->writer,
248+
buffer->allocated - avail_out);
249+
buffer->writer = NULL;
250+
return obj;
248251
}
249252

250253
/* Clean up the buffer when an error occurred. */

Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Fix a double free in :mod:`bz2` on memory allocation failure. Patch by
2+
Victor Stinner.

0 commit comments

Comments
 (0)