Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
Patch by Serhiy Storchaka.
diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
index eed8164..f3dffd6 100644
--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
@@ -396,6 +396,18 @@
y += dco.flush()
self.assertEqual(y, 'foo')
+ def test_flush_with_freed_input(self):
+ # Issue #16411: decompressor accesses input to last decompress() call
+ # in flush(), even if this object has been freed in the meanwhile.
+ input1 = 'abcdefghijklmnopqrstuvwxyz'
+ input2 = 'QWERTYUIOPASDFGHJKLZXCVBNM'
+ data = zlib.compress(input1)
+ dco = zlib.decompressobj()
+ dco.decompress(data, 1)
+ del data
+ data = zlib.compress(input2)
+ self.assertEqual(dco.flush(), input1[1:])
+
if hasattr(zlib.compressobj(), "copy"):
def test_compresscopy(self):
# Test copying a compression object
diff --git a/Misc/NEWS b/Misc/NEWS
index 93aec6b..a4a4105 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -140,6 +140,9 @@
Library
-------
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+ previously-freed memory. Patch by Serhiy Storchaka.
+
- Issue #16350: zlib.decompressobj().decompress() now accumulates data from
successive calls after EOF in unused_data, instead of only saving the argument
to the last call. decompressobj().flush() now correctly sets unused_data and
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index b9e207e..d6c6728 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -830,6 +830,8 @@
ENTER_ZLIB
start_total_out = self->zst.total_out;
+ self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+ self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
self->zst.avail_out = length;
self->zst.next_out = (Byte *)PyString_AS_STRING(retval);