A potential double free in list_sort_impl

[Yunlongs]

BPO	43861
Nosy	@tim-one, @rhettinger, @Yunlongs

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-04-16.11:09:04.297>
labels = ['type-security', '3.10']
title = 'A potential double free in list_sort_impl'
updated_at = <Date 2021-04-16.11:32:34.102>
user = 'https://github.com/Yunlongs'

bugs.python.org fields:

activity = <Date 2021-04-16.11:32:34.102>
actor = 'xtreak'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = []
creation = <Date 2021-04-16.11:09:04.297>
creator = 'Yunlongs'
dependencies = []
files = []
hgrepos = []
issue_num = 43861
keywords = []
message_count = 1.0
messages = ['391184']
nosy_count = 3.0
nosy_names = ['tim.peters', 'rhettinger', 'Yunlongs']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue43861'
versions = ['Python 3.10']

[Yunlongs]

File: Objects/listobject.c

There is a feasible path to trigger a double free if memory limited. Details as follow:

In funtion list_sort_impl, it calls merge_collapse(&ms) at line 2,394 and there exist paths to free ms->a.keys:

merge_collapse(&ms)->merge_at(ms, n) (line 1,938) ->merge_lo(ms, ssa, na, ssb, nb) (line 1,911)->MERGE_GETMEM(ms, na) (line 1,601)->merge_freemem(ms) (line 1,565)->PyMem_Free(ms->a.keys) (line 1,545).

Then if memory is not enough, line 1,568 will return -1 and the error code will propagate to the caller list_sort_impl().

After receives the err code, list_sort_impl() goto fial and calls
merge_freemem(&ms) again to free the ms->a.keys at the second time at line 2,431.

The same problem also occurs when merge_force_collapse(&ms) is called at line 2,401.

[tim-one]

Fixed and merged in main and for 3.10.