[PATCH] [3.11] gh-148395: Fix a possible UAF in `{LZMA,BZ2}Decompressor` (GH-148396...

Fix dangling input pointer after `MemoryError` in _lzma/_bz2/_ZlibDecompressor.decompress

(cherry picked from commit 8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2)

Origin: upstream, https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b

Gbp-Pq: Name CVE-2026-6100.patch

diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
new file mode 100644 (file)
index 0000000..349d1cf
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
@@ -0,0 +1,5 @@
+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
+and :class:`bz2.BZ2Decompressor`
+when memory allocation fails with :exc:`MemoryError`, which could let a
+subsequent :meth:`!decompress` call read or write through a stale pointer to
+the already-released caller buffer.

diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
index 880632c62349f18d78815e26b442f597991ff6b0..9b17341e49c934f986ff914689bd8bb919557cd6 100644 (file)
--- a/Modules/_bz2module.c
+++ b/Modules/_bz2module.c
@@ -559,6 +559,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
     return result;
 
 error:
+    bzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }

diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
index 2a62a6835685059a6cba78c4e655c886bccd0838..dde81238efa4511aaaf1a52e63fe789c3af66cc4 100644 (file)
--- a/Modules/_lzmamodule.c
+++ b/Modules/_lzmamodule.c
@@ -1039,6 +1039,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     return result;
 
 error:
+    lzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }