Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-30602: Fix refleak in os.spawnve() #2184

Merged
merged 1 commit into from
Jun 14, 2017
Merged

bpo-30602: Fix refleak in os.spawnve() #2184

merged 1 commit into from
Jun 14, 2017

Conversation

vstinner
Copy link
Member

When os.spawnve() fails while handling arguments, free correctly
argvlist: pass lastarg+1 rather than lastarg to free_string_array()
to also free the first item.

@vstinner
bpo-30602: Fix refleak in os.spawnve()
dbc8481 
When os.spawnve() fails while handling arguments, free correctly
argvlist: pass lastarg+1 rather than lastarg to free_string_array()
to also free the first item.
@vstinner vstinner merged commit 526b226 into python:master Jun 14, 2017
@vstinner vstinner deleted the spawnve branch June 14, 2017 12:26
eryksun
eryksun reviewed Jun 15, 2017
View reviewed changes
Modules/posixmodule.c
@@ -5302,7 +5302,7 @@ os_spawnve_impl(PyObject *module, int mode, path_t *path, PyObject *argv,
PyMem_DEL(envlist[envc]);
PyMem_DEL(envlist);
fail_1:
free_string_array(argvlist, lastarg);
free_string_array(argvlist, lastarg + 1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lastarg is set to i on line 5265 when fsconvert_strdup fails. Using lastarg + 1 in this case will free one too many pointers. It's also freeing one too many when all of argv is converted successfully and lastarg is set to argc. In this case argvlist[argc] is a NULL pointer, so freeing it is harmless.

I think the original code only needs a simple, single-line change. For the empty string case on line 5269. fsconvert_strdup has succeeded, so we know there's exactly lastarg = 1 pointer to free.

@vstinner
Copy link
Member Author

@eryksun: "lastarg is set to i on line 5265 when fsconvert_strdup fails. Using lastarg + 1 in this case will free one too many pointers. (...)"

Oh, you are right: I wrote the PR #2287 to fix my fix :-) Can you please review it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eryksun eryksun eryksun left review comments

Assignees
No one assigned
Labels
OS-windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vstinner @eryksun @the-knights-who-say-ni