https://github.com/python/cpython/commit/c23dd527e0ea8e26e44df5c44d0bd49fa08cb5ca commit: c23dd527e0ea8e26e44df5c44d0bd49fa08cb5ca branch: 3.14 author: Miss Islington (bot) <[email protected]> committer: vstinner <[email protected]> date: 2026-03-06T21:06:32Z summary:
[3.14] gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (GH-145422) (#145610) gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (GH-145422) Fix a possible NULL pointer dereference in `md5module.c` and a double-free in `hmacmodule.c`. Those crashes only occur in error paths taken when the interpreter fails to allocate memory. (cherry picked from commit c1d77683213c400fca144692654845e6f5418981) Co-authored-by: Pieter Eendebak <[email protected]> files: A Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst M Modules/hmacmodule.c M Modules/md5module.c diff --git a/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst new file mode 100644 index 00000000000000..b6dbda0427181d --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst @@ -0,0 +1,2 @@ +Fix double free and null pointer dereference in unusual error scenarios +in :mod:`hashlib` and :mod:`hmac` modules. diff --git a/Modules/hmacmodule.c b/Modules/hmacmodule.c index bc711b51accd87..8a0b3496b1afa1 100644 --- a/Modules/hmacmodule.c +++ b/Modules/hmacmodule.c @@ -1529,7 +1529,6 @@ static void py_hmac_hinfo_ht_free(void *hinfo) { py_hmac_hinfo *entry = (py_hmac_hinfo *)hinfo; - assert(entry->display_name != NULL); if (--(entry->refcnt) == 0) { Py_CLEAR(entry->display_name); PyMem_Free(hinfo); @@ -1628,7 +1627,8 @@ py_hmac_hinfo_ht_new(void) e->hashlib_name == NULL ? e->name : e->hashlib_name ); if (value->display_name == NULL) { - PyMem_Free(value); + /* 'value' is owned by the table (refcnt > 0), + so _Py_hashtable_destroy() will free it. */ goto error; } } diff --git a/Modules/md5module.c b/Modules/md5module.c index 9b5ea2d6e02605..f3855ec3f37faa 100644 --- a/Modules/md5module.c +++ b/Modules/md5module.c @@ -87,7 +87,10 @@ static void MD5_dealloc(PyObject *op) { MD5object *ptr = _MD5object_CAST(op); - Hacl_Hash_MD5_free(ptr->hash_state); + if (ptr->hash_state != NULL) { + Hacl_Hash_MD5_free(ptr->hash_state); + ptr->hash_state = NULL; + } PyTypeObject *tp = Py_TYPE(op); PyObject_GC_UnTrack(ptr); PyObject_GC_Del(ptr); _______________________________________________ Python-checkins mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/python-checkins.python.org Member address: [email protected]
