Issue 18368: PyOS_StdioReadline() leaks memory when realloc() fails - Python tracker

classification

Title:	PyOS_StdioReadline() leaks memory when realloc() fails
Type:	resource usage	Stage:	resolved
Components:	Interpreter Core	Versions:	Python 3.4, Python 3.3

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	christian.heimes, haypo, kristjan.jonsson, python-dev, serhiy.storchaka
Priority:	normal	Keywords:	patch

Created on 2013-07-05 20:02 by christian.heimes, last changed 2013-08-16 13:03 by christian.heimes. This issue is now closed.

Files
File name	Uploaded	Description	Edit
osreadline.patch	christian.heimes, 2013-07-05 20:02		review

Messages (6)
msg192352 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2013-07-05 20:02
PyOS_StdioReadline() contains code such as: p = (char *)PyMem_REALLOC(p, n + incr); The code looses its pointer to p when realloc fails and has no chance to free the memory in p. Also the code sets PyExc_OverflowError when incr > INT_MAX but it doesn't return NULL to signal the error.
msg192959 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2013-07-12 19:10
A similar issue: #14909.
msg192968 - (view)	Author: Kristján Valur Jónsson (kristjan.jonsson) *	Date: 2013-07-12 20:24
Is it sufficient to check incr > INT_MAX to guard against overflow?
msg194532 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2013-08-06 09:03
The patch can be a little simplified (the "else" keyword is redundant), but in general it LGTM. Let's push.
msg194547 - (view)	Author: Roundup Robot (python-dev)	Date: 2013-08-06 14:03
New changeset 5859a3ec5b7e by Christian Heimes in branch '3.3': Issue #18368: PyOS_StdioReadline() no longer leaks memory when realloc() fails. http://hg.python.org/cpython/rev/5859a3ec5b7e New changeset 6dbc4d6ff31e by Christian Heimes in branch 'default': Issue #18368: PyOS_StdioReadline() no longer leaks memory when realloc() fails. http://hg.python.org/cpython/rev/6dbc4d6ff31e
msg194549 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2013-08-06 14:16
Serhiy: Thanks for the review Kristján: Yes, it's enough to check for incr > INT_MAX. The buffer size is incremented to a value of <= (2*n)+2 in each round. The start value is 100. The loop is terminated once the buffer size reaches INT_MAX-2.

History
Date	User	Action	Args
2013-08-16 13:03:14	christian.heimes	set	status: pending -> closed
2013-08-06 14:16:12	christian.heimes	set	status: open -> pending resolution: fixed messages: + msg194549 stage: patch review -> resolved
2013-08-06 14:03:46	python-dev	set	nosy: + python-dev messages: + msg194547
2013-08-06 09:03:26	serhiy.storchaka	set	messages: + msg194532
2013-07-12 20:24:16	kristjan.jonsson	set	messages: + msg192968
2013-07-12 19:10:56	serhiy.storchaka	set	nosy: + kristjan.jonsson, serhiy.storchaka messages: + msg192959
2013-07-12 18:44:56	haypo	set	nosy: + haypo
2013-07-05 20:02:43	christian.heimes	create