bpo-40020: Fix realloc leak on failure in growable_comment_array_add (GH-19083)

ariccio · web-flow · commit 51e3e450fbed · 2020-03-30T23:15:59.000+02:00
Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath. 

Realloc returns a null pointer on failure, and then growable_comment_array_deallocate crashes later when it dereferences it.
diff --git a/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst b/Misc/NEWS.d/next/Core and Builtins/2020-03-19-21-53-41.bpo-40020.n-26G7.rst
@@ -0,0 +1 @@
+Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath.
diff --git a/Parser/parsetok.c b/Parser/parsetok.c
@@ -37,11 +37,13 @@ growable_comment_array_init(growable_comment_array *arr, size_t initial_size) {
 static int
 growable_comment_array_add(growable_comment_array *arr, int lineno, char *comment) {
     if (arr->num_items >= arr->size) {
-        arr->size *= 2;
-        arr->items = realloc(arr->items, arr->size * sizeof(*arr->items));
-        if (!arr->items) {
+        size_t new_size = arr->size * 2;
+        void *new_items_array = realloc(arr->items, new_size * sizeof(*arr->items));
+        if (!new_items_array) {
             return 0;
         }
+        arr->items = new_items_array;
+        arr->size = new_size;
     }
 
     arr->items[arr->num_items].lineno = lineno;

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix a leak and subsequent crash in parsetok.c caused by realloc misuse on a rare codepath.`