[issue28275] LZMADecompressor.decompress Use After Free

Changes by Donald Stufft : -- pull_requests: +1063 ___ Python tracker ___ ___

[issue28275] LZMADecompressor.decompress Use After Free

Changes by Martin Panter : -- resolution: -> fixed stage: commit review -> resolved status: open -> closed ___ Python tracker ___

[issue28275] LZMADecompressor.decompress Use After Free

Roundup Robot added the comment: New changeset 36d37ff6c236 by Martin Panter in branch '3.5': Issue #28275: Clean up to avoid use-after-free after bzip decompress failure https://hg.python.org/cpython/rev/36d37ff6c236 New changeset dca18f0ec280 by Martin Panter in branch '3.6': Issue #28275:

[issue28275] LZMADecompressor.decompress Use After Free

Serhiy Storchaka added the comment: LGTM. And may be worth to rewrite lzma test in your style. -- resolution: fixed -> stage: resolved -> commit review ___ Python tracker

[issue28275] LZMADecompressor.decompress Use After Free

Martin Panter added the comment: Here is a patch to fix the corresponding bug in the bzip decompressor. I will try to commit it soon if there are no objections. For the record, these bugs were introduced with the max_length support in Issue 15955. The bzip code was modelled after the LZMA

[issue28275] LZMADecompressor.decompress Use After Free

Serhiy Storchaka added the comment: Committed with small changes. Thank you John for your contribution. Tested that 3.4 is not affected. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker

[issue28275] LZMADecompressor.decompress Use After Free

Roundup Robot added the comment: New changeset b4c0e733b342 by Serhiy Storchaka in branch '3.5': Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress(). https://hg.python.org/cpython/rev/b4c0e733b342 New changeset 52f8eb2fa6a6 by Serhiy Storchaka in branch '3.6': Issue

[issue28275] LZMADecompressor.decompress Use After Free

Changes by Christian Heimes : -- priority: normal -> critical versions: +Python 3.6, Python 3.7 ___ Python tracker ___

[issue28275] LZMADecompressor.decompress Use After Free

Changes by Serhiy Storchaka : -- assignee: -> serhiy.storchaka stage: test needed -> patch review ___ Python tracker ___

[issue28275] LZMADecompressor.decompress Use After Free

John Leitch added the comment: Of course. Attached is a new patch that includes test coverage. It crashes on failure as there isn't any reasonable way to monitor for this kind of undefined behavior, but it's better than nothing. -- Added file:

[issue28275] LZMADecompressor.decompress Use After Free

Serhiy Storchaka added the comment: Thanks John. Could you please add a test based on your reproducer? -- nosy: +serhiy.storchaka stage: -> test needed ___ Python tracker

[issue28275] LZMADecompressor.decompress Use After Free

Changes by Alex Gaynor : -- nosy: +nadeem.vawda ___ Python tracker ___ ___

[issue28275] LZMADecompressor.decompress Use After Free

Changes by Alex Gaynor : -- keywords: +security_issue ___ Python tracker ___ ___

[issue28275] LZMADecompressor.decompress Use After Free

Changes by John Leitch : Added file: http://bugs.python.org/file44828/Py35_LZMADecompressor.py ___ Python tracker ___

[issue28275] LZMADecompressor.decompress Use After Free

New submission from John Leitch: Python 3.5.2 suffers from a use after free vulnerability caused by the behavior of the LZMADecompressor.decompress method. The problem exists due to a dangling pointer created by an incomplete error path in the _lzma!decompress function. static PyObject *