This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: A potential double free in list_sort_impl
Type: security Stage:
Components: Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Yunlongs, rhettinger, tim.peters
Priority: normal Keywords:

Created on 2021-04-16 11:09 by Yunlongs, last changed 2022-04-11 14:59 by admin.

Messages (1)
msg391184 - (view) Author: Yunlongs (Yunlongs) Date: 2021-04-16 11:09 
File: Objects/listobject.c

There is a feasible path to trigger a double free if memory limited. Details as follow:

In funtion list_sort_impl, it calls merge_collapse(&ms) at line 2,394 and there exist paths to free ms->a.keys:

merge_collapse(&ms)->merge_at(ms, n) (line 1,938) ->merge_lo(ms, ssa, na, ssb, nb) (line 1,911)->MERGE_GETMEM(ms, na) (line 1,601)->merge_freemem(ms) (line 1,565)->PyMem_Free(ms->a.keys) (line 1,545).

Then if memory is not enough, line 1,568 will return -1 and the error code will propagate to the caller list_sort_impl().

After receives the err code, list_sort_impl() goto fial and calls
merge_freemem(&ms) again to free the ms->a.keys at the second time at line 2,431.

The same problem also occurs when merge_force_collapse(&ms) is called at line 2,401.
History
Date User Action Args
2022-04-11 14:59:44adminsetgithub: 88027
2021-04-16 11:32:34xtreaksetnosy: + tim.peters, rhettinger
2021-04-16 11:09:04Yunlongscreate