gh-148688: Fix _BlocksOutputBuffer_Finish() double free (#148689)

If _BlocksOutputBuffer_Finish() fails (memory allocation failure),
PyBytesWriter_Discard() is called on the writer. Then if
_BlocksOutputBuffer_OnError() is called, it calls again
PyBytesWriter_Discard() causing a double free.

Fix _BlocksOutputBuffer_Finish() by setting buffer->writer to NULL,
so _BlocksOutputBuffer_OnError() does nothing instead of calling
PyBytesWriter_Discard() again.

Author: vstinner

Include/internal/pycore_blocks_output_buffer.h

@@ -242,9 +242,12 @@ static inline PyObject *
 _BlocksOutputBuffer_Finish(_BlocksOutputBuffer *buffer,
                            const Py_ssize_t avail_out)
 {
+    PyObject *obj;
     assert(buffer->writer != NULL);
-    return PyBytesWriter_FinishWithSize(buffer->writer,
-                                        buffer->allocated - avail_out);
+    obj = PyBytesWriter_FinishWithSize(buffer->writer,
+                                       buffer->allocated - avail_out);
+    buffer->writer = NULL;
+    return obj;
 }
 
 /* Clean up the buffer when an error occurred. */

Misc/NEWS.d/next/Library/2026-04-17-16-31-58.gh-issue-148688.vVugFn.rst

@@ -0,0 +1,2 @@
+:mod:`bz2`, :mod:`compression.zstd`, :mod:`lzma`, :mod:`zlib`: Fix a double
+free on memory allocation failure. Patch by Victor Stinner.