[New-bugs-announce] [issue43861] A potential double free in list_sort_impl
Yunlongs
report at bugs.python.org
Fri Apr 16 07:09:04 EDT 2021
New submission from Yunlongs <lylgood at foxmail.com>:
File: Objects/listobject.c
There is a feasible path to trigger a double free if memory limited. Details as follow:
In funtion list_sort_impl, it calls merge_collapse(&ms) at line 2,394 and there exist paths to free ms->a.keys:
merge_collapse(&ms)->merge_at(ms, n) (line 1,938) ->merge_lo(ms, ssa, na, ssb, nb) (line 1,911)->MERGE_GETMEM(ms, na) (line 1,601)->merge_freemem(ms) (line 1,565)->PyMem_Free(ms->a.keys) (line 1,545).
Then if memory is not enough, line 1,568 will return -1 and the error code will propagate to the caller list_sort_impl().
After receives the err code, list_sort_impl() goto fial and calls
merge_freemem(&ms) again to free the ms->a.keys at the second time at line 2,431.
The same problem also occurs when merge_force_collapse(&ms) is called at line 2,401.
----------
messages: 391184
nosy: Yunlongs
priority: normal
severity: normal
status: open
title: A potential double free in list_sort_impl
type: security
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43861>
_______________________________________
More information about the New-bugs-announce
mailing list