Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access previously-freed memory.

Patch by Serhiy Storchaka.

Author: nvawda

Lib/test/test_zlib.py

@@ -513,6 +513,18 @@ def test_decompress_unused_data(self):
                 self.assertEqual(dco.unconsumed_tail, b'')
                 self.assertEqual(dco.unused_data, remainder)
 
+    def test_flush_with_freed_input(self):
+        # Issue #16411: decompressor accesses input to last decompress() call
+        # in flush(), even if this object has been freed in the meanwhile.
+        input1 = b'abcdefghijklmnopqrstuvwxyz'
+        input2 = b'QWERTYUIOPASDFGHJKLZXCVBNM'
+        data = zlib.compress(input1)
+        dco = zlib.decompressobj()
+        dco.decompress(data, 1)
+        del data
+        data = zlib.compress(input2)
+        self.assertEqual(dco.flush(), input1[1:])
+
     if hasattr(zlib.compressobj(), "copy"):
         def test_compresscopy(self):
             # Test copying a compression object

Misc/NEWS

@@ -80,6 +80,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+  previously-freed memory. Patch by Serhiy Storchaka.
+
 - Issue #16357: fix calling accept() on a SSLSocket created through
   SSLContext.wrap_socket().  Original patch by Jeff McNeil.
 

Modules/zlibmodule.c

@@ -975,6 +975,8 @@ PyZlib_unflush(compobject *self, PyObject *args)
     ENTER_ZLIB(self);
 
     start_total_out = self->zst.total_out;
+    self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+    self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
     self->zst.avail_out = length;
     self->zst.next_out = (Byte *)PyBytes_AS_STRING(retval);