[Python-checkins] gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (#145422)

Fri, 06 Mar 2026 12:00:22 -0800 

https://github.com/python/cpython/commit/c1d77683213c400fca144692654845e6f5418981
commit: c1d77683213c400fca144692654845e6f5418981
branch: main
author: Pieter Eendebak <[email protected]>
committer: picnixz <[email protected]>
date: 2026-03-06T20:00:06Z
summary:

gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (#145422)

Fix a possible NULL pointer dereference in `md5module.c` and a double-free in 
`hmacmodule.c`.
Those crashes only occur in error paths taken when the interpreter fails to 
allocate memory.

files:
A Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
M Modules/hmacmodule.c
M Modules/md5module.c

diff --git 
a/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst 
b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
new file mode 100644
index 00000000000000..b6dbda0427181d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
@@ -0,0 +1,2 @@
+Fix double free and null pointer dereference in unusual error scenarios
+in :mod:`hashlib` and :mod:`hmac` modules.
diff --git a/Modules/hmacmodule.c b/Modules/hmacmodule.c
index 7a040103bcb234..1a212fa3d37e18 100644
--- a/Modules/hmacmodule.c
+++ b/Modules/hmacmodule.c
@@ -1378,7 +1378,6 @@ static void
 py_hmac_hinfo_ht_free(void *hinfo)
 {
     py_hmac_hinfo *entry = (py_hmac_hinfo *)hinfo;
-    assert(entry->display_name != NULL);
     if (--(entry->refcnt) == 0) {
         Py_CLEAR(entry->display_name);
         PyMem_Free(hinfo);
@@ -1477,7 +1476,8 @@ py_hmac_hinfo_ht_new(void)
             e->hashlib_name == NULL ? e->name : e->hashlib_name
         );
         if (value->display_name == NULL) {
-            PyMem_Free(value);
+            /* 'value' is owned by the table (refcnt > 0),
+               so _Py_hashtable_destroy() will free it. */
             goto error;
         }
     }
diff --git a/Modules/md5module.c b/Modules/md5module.c
index 56e9faf4c62002..e598b1fe67240d 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -87,7 +87,10 @@ static void
 MD5_dealloc(PyObject *op)
 {
     MD5object *ptr = _MD5object_CAST(op);
-    Hacl_Hash_MD5_free(ptr->hash_state);
+    if (ptr->hash_state != NULL) {
+        Hacl_Hash_MD5_free(ptr->hash_state);
+        ptr->hash_state = NULL;
+    }
     PyTypeObject *tp = Py_TYPE(op);
     PyObject_GC_UnTrack(ptr);
     PyObject_GC_Del(ptr);

_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]

Reply via email to