Close #16742: Fix misuse of memory allocations in PyOS_Readline()
The GIL must be held to call PyMem_Malloc(), whereas PyOS_Readline() releases
the GIL to read input.
The result of the C callback PyOS_ReadlineFunctionPointer must now be a string
allocated by PyMem_RawMalloc() or PyMem_RawRealloc() (or NULL if an error
occurred), instead of a string allocated by PyMem_Malloc() or PyMem_Realloc().
Fixing this issue was required to setup a hook on PyMem_Malloc(), for example
using the tracemalloc module.
PyOS_Readline() copies the result of PyOS_ReadlineFunctionPointer() into a new
buffer allocated by PyMem_Malloc(). So the public API of PyOS_Readline() does
not change.
diff --git a/Parser/myreadline.c b/Parser/myreadline.c
index 3cf334d..562494e 100644
--- a/Parser/myreadline.c
+++ b/Parser/myreadline.c
@@ -113,18 +113,22 @@
{
size_t n;
char *p, *pr;
+
n = 100;
- if ((p = (char *)PyMem_MALLOC(n)) == NULL)
+ p = (char *)PyMem_RawMalloc(n);
+ if (p == NULL)
return NULL;
+
fflush(sys_stdout);
if (prompt)
fprintf(stderr, "%s", prompt);
fflush(stderr);
+
switch (my_fgets(p, (int)n, sys_stdin)) {
case 0: /* Normal case */
break;
case 1: /* Interrupt */
- PyMem_FREE(p);
+ PyMem_RawFree(p);
return NULL;
case -1: /* EOF */
case -2: /* Error */
@@ -140,7 +144,7 @@
PyErr_SetString(PyExc_OverflowError, "input line too long");
return NULL;
}
- pr = (char *)PyMem_REALLOC(p, n + incr);
+ pr = (char *)PyMem_RawRealloc(p, n + incr);
if (pr == NULL) {
PyMem_FREE(p);
PyErr_NoMemory();
@@ -151,7 +155,7 @@
break;
n += strlen(p+n);
}
- pr = (char *)PyMem_REALLOC(p, n+1);
+ pr = (char *)PyMem_RawRealloc(p, n+1);
if (pr == NULL) {
PyMem_FREE(p);
PyErr_NoMemory();
@@ -174,7 +178,8 @@
char *
PyOS_Readline(FILE *sys_stdin, FILE *sys_stdout, char *prompt)
{
- char *rv;
+ char *rv, *res;
+ size_t len;
if (_PyOS_ReadlineTState == PyThreadState_GET()) {
PyErr_SetString(PyExc_RuntimeError,
@@ -221,5 +226,14 @@
_PyOS_ReadlineTState = NULL;
- return rv;
+ if (rv == NULL)
+ return NULL;
+
+ len = strlen(rv) + 1;
+ res = PyMem_Malloc(len);
+ if (res != NULL)
+ memcpy(res, rv, len);
+ PyMem_RawFree(rv);
+
+ return res;
}