Skip to content

bpo-30602: Fix refleak in os.spawnve() #2184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 14, 2017
Merged

bpo-30602: Fix refleak in os.spawnve() #2184

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Modules/posixmodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5223,7 +5223,7 @@ os_spawnve_impl(PyObject *module, int mode, path_t *path, PyObject *argv,
Py_ssize_t argc, i, envc;
intptr_t spawnval;
PyObject *(*getitem)(PyObject *, Py_ssize_t);
Py_ssize_t lastarg = 0;
Py_ssize_t lastarg = -1;

/* spawnve has four arguments: (mode, path, argv, env), where
argv is a list or tuple of strings and env is a dictionary
Expand Down Expand Up @@ -5302,7 +5302,7 @@ os_spawnve_impl(PyObject *module, int mode, path_t *path, PyObject *argv,
PyMem_DEL(envlist[envc]);
PyMem_DEL(envlist);
fail_1:
free_string_array(argvlist, lastarg);
free_string_array(argvlist, lastarg + 1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lastarg is set to i on line 5265 when fsconvert_strdup fails. Using lastarg + 1 in this case will free one too many pointers. It's also freeing one too many when all of argv is converted successfully and lastarg is set to argc. In this case argvlist[argc] is a NULL pointer, so freeing it is harmless.

I think the original code only needs a simple, single-line change. For the empty string case on line 5269. fsconvert_strdup has succeeded, so we know there's exactly lastarg = 1 pointer to free.

fail_0:
return res;
}
Expand Down