Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().

Original patch by John Leitch.

Lib/test/test_lzma.py

@@ -246,6 +246,15 @@ class CompressorDecompressorTestCase(unittest.TestCase):
         lzd = LZMADecompressor(lzma.FORMAT_RAW, filters=FILTERS_RAW_1)
         self.assertRaises(LZMAError, lzd.decompress, COMPRESSED_XZ)
 
+    def test_decompressor_bug_28275(self):
+        # Test coverage for Issue 28275
+        lzd = LZMADecompressor()
+        for i in range(2):
+            try:
+                lzd.decompress(COMPRESSED_RAW_1)
+            except LZMAError:
+                pass
+
     # Test that LZMACompressor->LZMADecompressor preserves the input data.
 
     def test_roundtrip_xz(self):

Misc/NEWS

@@ -47,6 +47,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #28275: Fixed possible use adter free in LZMADecompressor.decompress().
+  Original patch by John Leitch.
+
 - Issue #27897: Fixed possible crash in sqlite3.Connection.create_collation()
   if pass invalid string-like object as a name.  Patch by Xiang Zhang.
 

Modules/_lzmamodule.c

@@ -995,8 +995,10 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     }
 
     result = decompress_buf(d, max_length);
-    if(result == NULL)
+    if (result == NULL) {
+        lzs->next_in = NULL;
         return NULL;
+    }
 
     if (d->eof) {
         d->needs_input = 0;