classification
Title: Bad free in py_sha3_new_impl function
Type: crash Stage: patch review
Components: Library (Lib) Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: alex.henrie
Priority: normal Keywords: patch

Created on 2021-03-02 02:49 by alex.henrie, last changed 2021-03-02 02:52 by alex.henrie.

Pull Requests
URL Status Linked Edit
PR 24702 open alex.henrie, 2021-03-02 02:52
Messages (1)
msg387898 - (view) Author: Alex Henrie (alex.henrie) * Date: 2021-03-02 02:49
The py_sha3_new_impl function in sha3module.c has error handling code that looks like this:

    error:
      if (self) {
          Py_DECREF(self);
      }
      if (data && buf.obj) {
          PyBuffer_Release(&buf);
      }

However, there is a `goto error` before the variable buf is initialized. If that error path is triggered, the function will attempt to free an invalid object, possibly leading to a program crash.
History
Date User Action Args
2021-03-02 02:52:09alex.henriesetkeywords: + patch
stage: patch review
pull_requests: + pull_request23479
2021-03-02 02:49:55alex.henriecreate