https://github.com/python/cpython/commit/938ec030e90c5e53f1faac6fab1643f14e4f4a79
commit: 938ec030e90c5e53f1faac6fab1643f14e4f4a79
branch: 3.10
author: Stan Ulbrych <[email protected]>
committer: pablogsal <[email protected]>
date: 2026-07-04T14:15:47+01:00
summary:
[3.10] gh-150599: Prevent bz2 decompressor reuse after errors (#150600)
(#151133)
* [3.12] gh-150599: Prevent bz2 decompressor reuse after errors (#150600)
(#151054)
(cherry picked from commit 5755d0f083949ff3c5bf3a37e673e24e306b036e)
* We can just make it a plain assignment,
1a9cdaf63af7014dd7bd852b4d8a8c0ab98387ab was 3.15+ anyway.
files:
A Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst
M Lib/test/test_bz2.py
M Modules/_bz2module.c
diff --git a/Lib/test/test_bz2.py b/Lib/test/test_bz2.py
index 9965c1fe2e5f175..7c8ca3389abaf7a 100644
--- a/Lib/test/test_bz2.py
+++ b/Lib/test/test_bz2.py
@@ -834,6 +834,21 @@ def test_failure(self):
# Previously, a second call could crash due to internal inconsistency
self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
+ def test_decompress_after_data_error(self):
+ data = bytes.fromhex(
+ "425a6839314159265359000000000000007fffff000000000000000000000000"
+ "00000000000000000000000000000000000000e0370000000000000000000000"
+ "000000000000000000000000000000000000000000000000000083f3"
+ )
+ bzd = BZ2Decompressor()
+ with self.assertRaisesRegex(OSError, "Invalid data stream"):
+ bzd.decompress(data)
+ # Previously, a second call could crash due to internal inconsistency
+ self.assertFalse(bzd.needs_input)
+ self.assertFalse(bzd.eof)
+ with self.assertRaisesRegex(ValueError, "previous error"):
+ bzd.decompress(b'\x00' * 18)
+
@support.refcount_test
def test_refleaks_in___init__(self):
gettotalrefcount = support.get_attribute(sys, 'gettotalrefcount')
diff --git
a/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst
b/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst
new file mode 100644
index 000000000000000..a37d86cf423f820
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst
@@ -0,0 +1,3 @@
+Fix a possible stack buffer overflow in :mod:`bz2` when a
+:class:`bz2.BZ2Decompressor` is reused after a decompression error.
+The decompressor now becomes unusable after libbz2 reports an error.
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
index b08ac5e44e52f4d..241d8d777666433 100644
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -104,6 +104,7 @@ typedef struct {
typedef struct {
PyObject_HEAD
bz_stream bzs;
+ int bzerror;
char eof; /* T_BOOL expects a char */
PyObject *unused_data;
char needs_input;
@@ -461,8 +462,11 @@ decompress_buf(BZ2Decompressor *d, Py_ssize_t max_length)
d->bzs_avail_in_real += bzs->avail_in;
- if (catch_bz2_error(bzret))
+ if (catch_bz2_error(bzret)) {
+ d->bzerror = bzret;
+ d->needs_input = 0;
goto error;
+ }
if (bzret == BZ_STREAM_END) {
d->eof = 1;
break;
@@ -630,10 +634,17 @@ _bz2_BZ2Decompressor_decompress_impl(BZ2Decompressor
*self, Py_buffer *data,
PyObject *result = NULL;
ACQUIRE_LOCK(self);
- if (self->eof)
+ if (self->eof) {
PyErr_SetString(PyExc_EOFError, "End of stream already reached");
- else
+ }
+ else if (self->bzerror) {
+ // Re-entering BZ2_bzDecompress() after an error can write out of
bounds.
+ PyErr_SetString(PyExc_ValueError,
+ "Decompressor is unusable after a previous error");
+ }
+ else {
result = decompress(self, data->buf, data->len, max_length);
+ }
RELEASE_LOCK(self);
return result;
}
@@ -655,6 +666,7 @@ _bz2_BZ2Decompressor___init___impl(BZ2Decompressor *self)
}
self->lock = lock;
+ self->bzerror = 0;
self->needs_input = 1;
self->bzs_avail_in_real = 0;
self->input_buffer = NULL;
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]