Coverity reports a leak within the json module:

Error: RESOURCE_LEAK (CWE-772): [#def26]
Python-2.7.15/Modules/_json.c:1367: alloc_fn: Storage is returned from allocation function "PyString_FromStringAndSize".
Python-2.7.15/Objects/stringobject.c:88:5: alloc_fn: Storage is returned from allocation function "PyObject_Malloc".
Python-2.7.15/Objects/obmalloc.c:982:5: alloc_fn: Storage is returned from allocation function "malloc".
Python-2.7.15/Objects/obmalloc.c:982:5: return_alloc_fn: Directly returning storage allocated by "malloc".
Python-2.7.15/Objects/stringobject.c:88:5: var_assign: Assigning: "op" = "PyObject_Malloc(37UL + size)".
Python-2.7.15/Objects/stringobject.c:111:5: return_alloc: Returning allocated memory "op".
Python-2.7.15/Modules/_json.c:1367: var_assign: Assigning: "numstr" = storage returned from "PyString_FromStringAndSize(&str[start], idx - start)".
Python-2.7.15/Modules/_json.c:1379: leaked_storage: Variable "numstr" going out of scope leaks the storage it points to.
 1377|                                                NULL, NULL);
 1378|               if (d == -1.0 && PyErr_Occurred())
 1379|->                 return NULL;
 1380|               rval = PyFloat_FromDouble(d);
 1381|           }

Note for myself: Python 3 isn't affected by this issue. The issue in Python 2 is in the _match_number_str() function which doesn't exist in Python 3. In Python 3, _parse_object_unicode() uses a very different code: it calls PyFloat_FromString() or PyLong_FromString() for numstr.

New changeset fb3336acfde3204fd01ce519ef24cc18a94dfa3f by Victor Stinner (stratakis) in branch '2.7':
[2.7] bpo-36291: Fix a possible reference leak in the json module (GH-12330)
https://github.com/python/cpython/commit/fb3336acfde3204fd01ce519ef24cc18a94dfa3f

Thanks Charalampos, I merged your PR.

stage: patch review -> resolved

nosy: + matrixise