[issue43861] A potential double free in list_sort_impl

2021-04-16 Thread Karthikeyan Singaravelan 


Change by Karthikeyan Singaravelan :


--
nosy: +rhettinger, tim.peters

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43861] A potential double free in list_sort_impl

2021-04-16 Thread Yunlongs 


New submission from Yunlongs :

File: Objects/listobject.c

There is a feasible path to trigger a double free if memory limited. Details as 
follow:

In funtion list_sort_impl, it calls merge_collapse(&ms) at line 2,394 and there 
exist paths to free ms->a.keys:

merge_collapse(&ms)->merge_at(ms, n) (line 1,938) ->merge_lo(ms, ssa, na, ssb, 
nb) (line 1,911)->MERGE_GETMEM(ms, na) (line 1,601)->merge_freemem(ms) (line 
1,565)->PyMem_Free(ms->a.keys) (line 1,545).

Then if memory is not enough, line 1,568 will return -1 and the error code will 
propagate to the caller list_sort_impl().

After receives the err code, list_sort_impl() goto fial and calls
merge_freemem(&ms) again to free the ms->a.keys at the second time at line 
2,431.

The same problem also occurs when merge_force_collapse(&ms) is called at line 
2,401.

--
messages: 391184
nosy: Yunlongs
priority: normal
severity: normal
status: open
title: A potential double free in list_sort_impl
type: security
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com