Fixed use-after-free in fp_read_object()

agronholm · Jan 23, 2024 · b6f1a98 · b6f1a98
1 parent e1b374c
commit b6f1a98
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/docs/versionhistory.rst b/docs/versionhistory.rst
@@ -5,6 +5,10 @@ Version history
 
 This library adheres to `Semantic Versioning <http://semver.org/>`_.
 
+**UNRELEASED**
+
+- Fixed use-after-free in the decoder's C version when prematurely encountering the end of stream
+
 **5.6.0** (2024-01-17)
 
 - Added the ``cbor2`` command line tool (for ``pipx run cbor2``)

diff --git a/source/decoder.c b/source/decoder.c
@@ -388,11 +388,11 @@ fp_read_object(CBORDecoderObject *self, const Py_ssize_t size)
             if (PyBytes_GET_SIZE(obj) == (Py_ssize_t) size) {
                 ret = obj;
             } else {
-                Py_DECREF(obj);
                 PyErr_Format(
                     _CBOR2_CBORDecodeEOF,
                     "premature end of stream (expected to read %zd bytes, "
                     "got %zd instead)", size, PyBytes_GET_SIZE(obj));
+                Py_DECREF(obj);
             }
         }
     }