Fix a double free when positioning a database cursor to a non-existant string key (and probably a few other situations with string keys). This was reported with a patch as pybsddb sourceforge bug 1708868 by jjjhhhlll at gmail.

commit: 10bed54ae2cc7751ba944bc8a99b9ca0a690c06a [log] [tgz]
author: Gregory P. Smith <greg@mad-scientist.com> Tue Oct 09 06:50:43 2007 +0000
committer: Gregory P. Smith <greg@mad-scientist.com> Tue Oct 09 06:50:43 2007 +0000
tree: 2e30614b07caccae82cc24ed359ce97620b29117
parent: 392505391e1703fe0df4da8e077793f7e71b1075 [diff] [blame]
diff --git a/Modules/_bsddb.c b/Modules/_bsddb.c
index c840eaf..bc70cc3 100644
--- a/Modules/_bsddb.c
+++ b/Modules/_bsddb.c

@@ -328,7 +328,19 @@
             return 0;
         }
 
-        key->data = PyString_AS_STRING(keyobj);
+        /*
+         * NOTE(gps): I don't like doing a data copy here, it seems
+         * wasteful.  But without a clean way to tell FREE_DBT if it
+         * should free key->data or not we have to.  Other places in
+         * the code check for DB_THREAD and forceably set DBT_MALLOC
+         * when we otherwise would leave flags 0 to indicate that.
+         */
+        key->data = strdup(PyString_AS_STRING(keyobj));
+        if (key->data == NULL) {
+            PyErr_SetString(PyExc_MemoryError, "Key memory allocation failed");
+            return 0;
+        }
+        key->flags = DB_DBT_REALLOC;
         key->size = PyString_GET_SIZE(keyobj);
     }
commit	10bed54ae2cc7751ba944bc8a99b9ca0a690c06a	[log] [tgz]
author	Gregory P. Smith <greg@mad-scientist.com>	Tue Oct 09 06:50:43 2007 +0000
committer	Gregory P. Smith <greg@mad-scientist.com>	Tue Oct 09 06:50:43 2007 +0000
tree	2e30614b07caccae82cc24ed359ce97620b29117
parent	392505391e1703fe0df4da8e077793f7e71b1075 [diff] [blame]