[3.11] gh-148395: Fix a possible UAF in {LZMA,BZ2}Decompressor (GH-148396) (#148504)

StanFromIreland · web-flow · commit e20c6c9667c9 · 2026-04-13T22:42:36.000+01:00
Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress (cherry picked from commit 8fc66ae)
diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
@@ -0,0 +1,5 @@
+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
+and :class:`bz2.BZ2Decompressor`
+when memory allocation fails with :exc:`MemoryError`, which could let a
+subsequent :meth:`!decompress` call read or write through a stale pointer to
+the already-released caller buffer.
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
@@ -595,6 +595,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
     return result;
 
 error:
+    bzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }
diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
@@ -1105,6 +1105,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     return result;
 
 error:
+    lzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }

Original file line number	Diff line number	Diff line change
`@@ -595,6 +595,7 @@ decompress(BZ2Decompressor d, char data, size_t len, Py_ssize_t max_length)`
`595`	`595`	`return result;`
`596`	`596`
`597`	`597`	`error:`
	`598`	`+ bzs->next_in = NULL;`
`598`	`599`	`Py_XDECREF(result);`
`599`	`600`	`return NULL;`
`600`	`601`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1105,6 +1105,7 @@ decompress(Decompressor d, uint8_t data, size_t len, Py_ssize_t max_length)`
`1105`	`1105`	`return result;`
`1106`	`1106`
`1107`	`1107`	`error:`
	`1108`	`+ lzs->next_in = NULL;`
`1108`	`1109`	`Py_XDECREF(result);`
`1109`	`1110`	`return NULL;`
`1110`	`1111`	`}`