Patchwork zstd: prevent potential free() of uninitialized memory

login
register
mail settings
Submitter Gregory Szorc
Date Jan. 17, 2017, 6:20 p.m.
Message ID <29baf7787b317b2aa8e5.1484677250@ubuntu-vm-main>
Download mbox | patch
Permalink /patch/18237/
State Accepted
Headers show

Comments

Gregory Szorc - Jan. 17, 2017, 6:20 p.m.
# HG changeset patch
# User Gregory Szorc <gregory.szorc@gmail.com>
# Date 1484677033 28800
#      Tue Jan 17 10:17:13 2017 -0800
# Node ID 29baf7787b317b2aa8e5393126d7feeb1fa0d8bb
# Parent  923336cf8b8afdb41746ecef8a39d773bd5538bf
zstd: prevent potential free() of uninitialized memory

This is a cherry pick of an upstream fix. The free() of uninitialed
memory could likely only occur if a malloc() inside zstd fails.

The patched functions aren't currently used by Mercurial. But I don't
like leaving footguns sitting around.
Augie Fackler - Jan. 17, 2017, 8:35 p.m.
On Tue, Jan 17, 2017 at 10:20:50AM -0800, Gregory Szorc wrote:
> # HG changeset patch
> # User Gregory Szorc <gregory.szorc@gmail.com>
> # Date 1484677033 28800
> #      Tue Jan 17 10:17:13 2017 -0800
> # Node ID 29baf7787b317b2aa8e5393126d7feeb1fa0d8bb
> # Parent  923336cf8b8afdb41746ecef8a39d773bd5538bf
> zstd: prevent potential free() of uninitialized memory

Seems righteous enough. Queued.

>
> This is a cherry pick of an upstream fix. The free() of uninitialed
> memory could likely only occur if a malloc() inside zstd fails.
>
> The patched functions aren't currently used by Mercurial. But I don't
> like leaving footguns sitting around.
>
> diff --git a/contrib/python-zstandard/c-ext/compressor.c b/contrib/python-zstandard/c-ext/compressor.c
> --- a/contrib/python-zstandard/c-ext/compressor.c
> +++ b/contrib/python-zstandard/c-ext/compressor.c
> @@ -258,6 +258,9 @@ static PyObject* ZstdCompressor_copy_str
>               return NULL;
>       }
>
> +	/* Prevent free on uninitialized memory in finally. */
> +	output.dst = NULL;
> +
>       cstream = CStream_from_ZstdCompressor(self, sourceSize);
>       if (!cstream) {
>               res = NULL;
> diff --git a/contrib/python-zstandard/c-ext/decompressor.c b/contrib/python-zstandard/c-ext/decompressor.c
> --- a/contrib/python-zstandard/c-ext/decompressor.c
> +++ b/contrib/python-zstandard/c-ext/decompressor.c
> @@ -165,6 +165,9 @@ static PyObject* Decompressor_copy_strea
>               return NULL;
>       }
>
> +	/* Prevent free on uninitialized memory in finally. */
> +	output.dst = NULL;
> +
>       dstream = DStream_from_ZstdDecompressor(self);
>       if (!dstream) {
>               res = NULL;
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel

Patch

diff --git a/contrib/python-zstandard/c-ext/compressor.c b/contrib/python-zstandard/c-ext/compressor.c
--- a/contrib/python-zstandard/c-ext/compressor.c
+++ b/contrib/python-zstandard/c-ext/compressor.c
@@ -258,6 +258,9 @@  static PyObject* ZstdCompressor_copy_str
 		return NULL;
 	}
 
+	/* Prevent free on uninitialized memory in finally. */
+	output.dst = NULL;
+
 	cstream = CStream_from_ZstdCompressor(self, sourceSize);
 	if (!cstream) {
 		res = NULL;
diff --git a/contrib/python-zstandard/c-ext/decompressor.c b/contrib/python-zstandard/c-ext/decompressor.c
--- a/contrib/python-zstandard/c-ext/decompressor.c
+++ b/contrib/python-zstandard/c-ext/decompressor.c
@@ -165,6 +165,9 @@  static PyObject* Decompressor_copy_strea
 		return NULL;
 	}
 
+	/* Prevent free on uninitialized memory in finally. */
+	output.dst = NULL;
+
 	dstream = DStream_from_ZstdDecompressor(self);
 	if (!dstream) {
 		res = NULL;