[PYTHON-2191] Double free in C extensions when realloc fails in buffer_grow - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.11
Component/s: None
Labels:
None

Description

When buffer_grow’s realloc call fails it frees the buffer:
https://github.com/mongodb/mongo-python-driver/blob/3.10.1/bson/buffer.c#L82

This causes a double free later on (for example in _write_dict_to_bson) because the buffer struct is not "owned" by buffer_grow. A fix should ensure that the caller of buffer_grow can always free the buffer, even on error.

Noticed by Coverity.

Attachments

Activity

People

Assignee:: Shane Harvey

Reporter:: Shane Harvey

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: Apr 07 2020 09:29:40 PM UTC

Updated:: Apr 09 2020 08:22:09 PM UTC

Resolved:: Apr 09 2020 08:22:09 PM UTC