classification
Title: PyOS_StdioReadline() leaks memory when realloc() fails
Type: resource usage Stage: resolved
Components: Interpreter Core Versions: Python 3.4, Python 3.3
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, haypo, kristjan.jonsson, python-dev, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2013-07-05 20:02 by christian.heimes, last changed 2013-08-16 13:03 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
osreadline.patch christian.heimes, 2013-07-05 20:02 review
Messages (6)
msg192352 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-07-05 20:02
PyOS_StdioReadline() contains code such as:

   p = (char *)PyMem_REALLOC(p, n + incr);

The code looses its pointer to p when realloc fails and has no chance to free the memory in p.

Also the code sets PyExc_OverflowError when incr > INT_MAX but it doesn't return NULL to signal the error.
msg192959 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2013-07-12 19:10
A similar issue: #14909.
msg192968 - (view) Author: Kristján Valur Jónsson (kristjan.jonsson) * (Python committer) Date: 2013-07-12 20:24
Is it sufficient to check incr > INT_MAX to guard against overflow?
msg194532 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2013-08-06 09:03
The patch can be a little simplified (the "else" keyword is redundant), but in general it LGTM. Let's push.
msg194547 - (view) Author: Roundup Robot (python-dev) Date: 2013-08-06 14:03
New changeset 5859a3ec5b7e by Christian Heimes in branch '3.3':
Issue #18368: PyOS_StdioReadline() no longer leaks memory when realloc() fails.
http://hg.python.org/cpython/rev/5859a3ec5b7e

New changeset 6dbc4d6ff31e by Christian Heimes in branch 'default':
Issue #18368: PyOS_StdioReadline() no longer leaks memory when realloc() fails.
http://hg.python.org/cpython/rev/6dbc4d6ff31e
msg194549 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-08-06 14:16
Serhiy:
Thanks for the review

Kristján:
Yes, it's enough to check for incr > INT_MAX. The buffer size is incremented to a value of <= (2*n)+2 in each round. The start value is 100. The loop is terminated once the buffer size reaches INT_MAX-2.
History
Date User Action Args
2013-08-16 13:03:14christian.heimessetstatus: pending -> closed
2013-08-06 14:16:12christian.heimessetstatus: open -> pending
resolution: fixed
messages: + msg194549

stage: patch review -> resolved
2013-08-06 14:03:46python-devsetnosy: + python-dev
messages: + msg194547
2013-08-06 09:03:26serhiy.storchakasetmessages: + msg194532
2013-07-12 20:24:16kristjan.jonssonsetmessages: + msg192968
2013-07-12 19:10:56serhiy.storchakasetnosy: + kristjan.jonsson, serhiy.storchaka
messages: + msg192959
2013-07-12 18:44:56hayposetnosy: + haypo
2013-07-05 20:02:43christian.heimescreate