Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.
Patch by Serhiy Storchaka.
diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
index f5180e0..2f6f840 100644
--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
@@ -513,6 +513,18 @@
self.assertEqual(dco.unconsumed_tail, b'')
self.assertEqual(dco.unused_data, remainder)
+ def test_flush_with_freed_input(self):
+ # Issue #16411: decompressor accesses input to last decompress() call
+ # in flush(), even if this object has been freed in the meanwhile.
+ input1 = b'abcdefghijklmnopqrstuvwxyz'
+ input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM'
+ data = zlib.compress(input1)
+ dco = zlib.decompressobj()
+ dco.decompress(data, 1)
+ del data
+ data = zlib.compress(input2)
+ self.assertEqual(dco.flush(), input1[1:])
+
if hasattr(zlib.compressobj(), "copy"):
def test_compresscopy(self):
# Test copying a compression object
diff --git a/Misc/NEWS b/Misc/NEWS
index 2c80158..6d14ecf 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -113,6 +113,9 @@
Library
-------
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+ previously-freed memory. Patch by Serhiy Storchaka.
+
- Issue #16357: fix calling accept() on a SSLSocket created through
SSLContext.wrap_socket(). Original patch by Jeff McNeil.
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index 9e1c2ae..213859f 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -975,6 +975,8 @@
ENTER_ZLIB(self);
start_total_out = self->zst.total_out;
+ self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+ self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
self->zst.avail_out = length;
self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval);