Potential access after free in convert.c

Question

Potential access after free in convert.c

gth828r opened this issue 8 years ago · 2 comments

In the pystring_to_string function of convert.c, there is a potential case of freeing a memory buffer and then trying to access it. The free could occur any time after https://github.com/ChrisRx/quickavro/blob/master/src/convert.c#L263, but another access will occur at https://github.com/ChrisRx/quickavro/blob/master/src/convert.c#L270.

The problem is that buf points to an internal buffer of the variable s after https://github.com/ChrisRx/quickavro/blob/master/src/convert.c#L259, but we don't finish using the buf variable until later. The call to Py_DECREF(s) should be moved down below the last access to buf.

Answer 1 · 2017-06-30T16:27:58.000Z

I believe the same problem can occur at https://github.com/ChrisRx/quickavro/blob/master/src/convert.c#L231 and https://github.com/ChrisRx/quickavro/blob/master/src/convert.c#L360.

Answer 2 · 2017-06-30T16:45:41.000Z

By the way, I don't think this is an issue that happens all the time. I have been using that code path for quite a while without issue. I started seeing segfaults when I began using long running tests involving a large file of records into memory and then serializing them one by one, and I traced it back to accessing the buf variable at line 270 in the pystring_to_string function. The segfault also occurs if I try to access buf before that, but after the call to Py_DECREF(s), such as attempting to print the string contained in buf.