bpo-31626: Fixed a bug in debug memory allocator. (#3844)

Removed a code that incorrectly detected in-place resizing in realloc() and wrote to freed memory.
2025-09-26 18:29:57 +00:00 · 2017-10-31 14:05:03 +02:00 · 2017-10-31 14:05:03 +02:00 · b484d5606c
commit b484d5606c
parent b9052a0f91
2 changed files with 4 additions and 11 deletions
--- a/Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
+++ b/Builtins/2017-10-01-15-48-03.bpo-31626.reLPxY.rst
@ -0,0 +1,2 @@
 Fixed a bug in debug memory allocator.  There was a write to freed memory
 after shrinking a memory block.
--- a/Objects/obmalloc.c
+++ b/Objects/obmalloc.c
@ -1460,7 +1460,7 @@ static void *
 _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
 {
    debug_alloc_api_t *api = (debug_alloc_api_t *)ctx;
-    uint8_t *q = (uint8_t *)p, *oldq;
+    uint8_t *q = (uint8_t *)p;
    uint8_t *tail;
    size_t total;       /* nbytes + 4*SST */
    size_t original_nbytes;
@ -1477,20 +1477,11 @@ _PyMem_DebugRawRealloc(void *ctx, void *p, size_t nbytes)
        /* overflow:  can't represent total as a Py_ssize_t */
        return NULL;
-    /* Resize and add decorations. We may get a new pointer here, in which
+    /* Resize and add decorations. */
     * case we didn't get the chance to mark the old memory with DEADBYTE,
     * but we live with that.
     */
    oldq = q;
    q = (uint8_t *)api->alloc.realloc(api->alloc.ctx, q - 2*SST, total);
    if (q == NULL)
        return NULL;
    if (q == oldq && nbytes < original_nbytes) {
        /* shrinking:  mark old extra memory dead */
        memset(q + nbytes, DEADBYTE, original_nbytes - nbytes);
    }
    write_size_t(q, nbytes);
    assert(q[SST] == (uint8_t)api->api_id);
    for (i = 1; i < SST; ++i)
		`@ -0,0 +1,2 @@`
							`Fixed a bug in debug memory allocator. There was a write to freed memory`
							`after shrinking a memory block.`