From 8637c67934caacd964217e2013f7c1dd235871a4 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Fri, 17 Apr 2026 16:23:39 +0200
Subject: [PATCH 1/4] gh-148688: Fix _BlocksOutputBuffer_Finish() double free

If _BlocksOutputBuffer_Finish() fails (memory allocation failure),
PyBytesWriter_Discard() is called on the writer. Then if
_BlocksOutputBuffer_OnError() is called, it calls again
PyBytesWriter_Discard() causing a double free.

Fix _BlocksOutputBuffer_Finish() by setting buffer->writer to NULL,
so _BlocksOutputBuffer_OnError() does nothing instead of calling
PyBytesWriter_Discard() again.
---
 Include/internal/pycore_blocks_output_buffer.h             | 7 +++++--
 .../Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst | 2 ++
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst

diff --git a/Include/internal/pycore_blocks_output_buffer.h b/Include/internal/pycore_blocks_output_buffer.h
index 016e7a18665859..322c1e93344ba3 100644
--- a/Include/internal/pycore_blocks_output_buffer.h
+++ b/Include/internal/pycore_blocks_output_buffer.h
@@ -242,9 +242,12 @@ static inline PyObject *
 _BlocksOutputBuffer_Finish(_BlocksOutputBuffer *buffer,
                            const Py_ssize_t avail_out)
 {
+    PyObject *obj;
     assert(buffer->writer != NULL);
-    return PyBytesWriter_FinishWithSize(buffer->writer,
-                                        buffer->allocated - avail_out);
+    obj = PyBytesWriter_FinishWithSize(buffer->writer,
+                                       buffer->allocated - avail_out);
+    buffer->writer = NULL;
+    return obj;
 }
 
 /* Clean up the buffer when an error occurred. */
diff --git a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
new file mode 100644
index 00000000000000..edd8b206c78c31
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
@@ -0,0 +1,2 @@
+Fix a double free in :mod:`bz2` on memory allocation failure. Patch by
+Victor Stinner.

From 7b1527952dab35d6829dc71aa0a82dfeb4029571 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Fri, 17 Apr 2026 17:30:16 +0200
Subject: [PATCH 2/4] lzma and zlib are also affected

---
 .../Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
index edd8b206c78c31..cb7dd23fb8766c 100644
--- a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
+++ b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
@@ -1,2 +1,2 @@
-Fix a double free in :mod:`bz2` on memory allocation failure. Patch by
-Victor Stinner.
+:mod:`bz2`, :mod:`lzma`, :mod:`zlib`: Fix a double free in on memory allocation
+failure. Patch by Victor Stinner.

From 2bf1d695ae5b816ae4a7e9cfc1ca5c109bca0543 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Fri, 17 Apr 2026 17:53:12 +0200
Subject: [PATCH 3/4] NEWS entry: mention alos compression.zstd

---
 .../Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
index cb7dd23fb8766c..fa190f341097de 100644
--- a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
+++ b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
@@ -1,2 +1,2 @@
-:mod:`bz2`, :mod:`lzma`, :mod:`zlib`: Fix a double free in on memory allocation
-failure. Patch by Victor Stinner.
+:mod:`bz2`, :mod:`compression.zstd`, :mod:`lzma`, :mod:`zlib`: Fix a double
+free in on memory allocation failure. Patch by Victor Stinner.

From 68eaa9673c82cfb7917afa9627f6295982c8e937 Mon Sep 17 00:00:00 2001
From: Victor Stinner <vstinner@python.org>
Date: Sat, 18 Apr 2026 11:28:42 +0200
Subject: [PATCH 4/4] NEWS: fix typo

---
 .../next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
index fa190f341097de..1e367716e5a0a7 100644
--- a/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
+++ b/Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst
@@ -1,2 +1,2 @@
 :mod:`bz2`, :mod:`compression.zstd`, :mod:`lzma`, :mod:`zlib`: Fix a double
-free in on memory allocation failure. Patch by Victor Stinner.
+free on memory allocation failure. Patch by Victor Stinner.