BUG: parser buffer could be freed more than once if reading failed in buffer_rd_bytes, causing a segfault

Scott E Lasley · jreback · commit f32b44fed1c2 · 2016-01-27T10:10:42.000-05:00
Closes pandas-dev#12098 Closes pandas-dev#12135
diff --git a/doc/source/whatsnew/v0.18.0.txt b/doc/source/whatsnew/v0.18.0.txt
@@ -543,3 +543,5 @@ Bug Fixes
 - Bug in ``.style`` indexes and multi-indexes not appearing (:issue:`11655`)
 
 - Bug in ``.skew`` and ``.kurt`` due to roundoff error for highly similar values (:issue:`11974`)
+
+- Bug in ``buffer_rd_bytes`` src->buffer could be freed more than once if reading failed, causing a segfault (:issue:`12098`) 
diff --git a/pandas/io/tests/test_parsers.py b/pandas/io/tests/test_parsers.py
@@ -3667,6 +3667,25 @@ def test_buffer_overflow(self):
                 self.assertIn(
                     'Buffer overflow caught - possible malformed input file.', str(cperr))
 
+    def test_buffer_rd_bytes(self):
+        # GH 12098
+        # src->buffer can be freed twice leading to a segfault if a corrupt 
+        # gzip file is read with read_csv and the buffer is filled more than
+        # once before gzip throws an exception
+        
+        data = '\x1F\x8B\x08\x00\x00\x00\x00\x00\x00\x03\xED\xC3\x41\x09' \
+               '\x00\x00\x08\x00\xB1\xB7\xB6\xBA\xFE\xA5\xCC\x21\x6C\xB0' \
+               '\xA6\x4D' + '\x55' * 267 + \
+               '\x7D\xF7\x00\x91\xE0\x47\x97\x14\x38\x04\x00' \
+               '\x1f\x8b\x08\x00VT\x97V\x00\x03\xed]\xefO'
+        for i in range(100):
+            try:
+                _ = self.read_csv(StringIO(data),
+                                  compression='gzip',
+                                  delim_whitespace=True)
+            except Exception as e:
+                pass
+
     def test_single_char_leading_whitespace(self):
         # GH 9710
         data = """\
@@ -4208,6 +4227,25 @@ def test_buffer_overflow(self):
                 self.assertIn(
                     'Buffer overflow caught - possible malformed input file.', str(cperr))
 
+    def test_buffer_rd_bytes(self):
+        # GH 12098
+        # src->buffer can be freed twice leading to a segfault if a corrupt 
+        # gzip file is read with read_csv and the buffer is filled more than
+        # once before gzip throws an exception
+        
+        data = '\x1F\x8B\x08\x00\x00\x00\x00\x00\x00\x03\xED\xC3\x41\x09' \
+               '\x00\x00\x08\x00\xB1\xB7\xB6\xBA\xFE\xA5\xCC\x21\x6C\xB0' \
+               '\xA6\x4D' + '\x55' * 267 + \
+               '\x7D\xF7\x00\x91\xE0\x47\x97\x14\x38\x04\x00' \
+               '\x1f\x8b\x08\x00VT\x97V\x00\x03\xed]\xefO'
+        for i in range(100):
+            try:
+                _ = self.read_csv(StringIO(data),
+                                  compression='gzip',
+                                  delim_whitespace=True)
+            except Exception as e:
+                pass
+
     def test_single_char_leading_whitespace(self):
         # GH 9710
         data = """\
diff --git a/pandas/src/parser/io.c b/pandas/src/parser/io.c
@@ -121,6 +121,7 @@ void* buffer_rd_bytes(void *source, size_t nbytes,
 
     /* delete old object */
     Py_XDECREF(src->buffer);
+    src->buffer = NULL;
     args = Py_BuildValue("(i)", nbytes);
 
     func = PyObject_GetAttrString(src->obj, "read");
