(original) (raw)

changeset: 99340:935debb548a3 parent: 99337:1da622f4630b parent: 99339:88ad2b8480b1 user: Serhiy Storchaka storchaka@gmail.com date: Wed Nov 25 15:07:36 2015 +0200 files: Misc/NEWS Modules/_pickle.c description: Issue #25725: Fixed a reference leak in pickle.loads() when unpickling invalid data including tuple instructions. diff -r 1da622f4630b -r 935debb548a3 Misc/NEWS --- a/Misc/NEWS Tue Nov 24 23:24:17 2015 +0000 +++ b/Misc/NEWS Wed Nov 25 15:07:36 2015 +0200 @@ -95,6 +95,9 @@ Library ------- +- Issue #25725: Fixed a reference leak in pickle.loads() when unpickling + invalid data including tuple instructions. + - Issue #25663: In the Readline completer, avoid listing duplicate global names, and search the global namespace before searching builtins. diff -r 1da622f4630b -r 935debb548a3 Modules/_pickle.c --- a/Modules/_pickle.c Tue Nov 24 23:24:17 2015 +0000 +++ b/Modules/_pickle.c Wed Nov 25 15:07:36 2015 +0200 @@ -5047,15 +5047,14 @@ } static int -load_tuple(UnpicklerObject *self) +load_counted_tuple(UnpicklerObject *self, int len) { PyObject *tuple; - Py_ssize_t i; - - if ((i = marker(self)) < 0) - return -1; - - tuple = Pdata_poptuple(self->stack, i); + + if (Py_SIZE(self->stack) < len) + return stack_underflow(); + + tuple = Pdata_poptuple(self->stack, Py_SIZE(self->stack) - len); if (tuple == NULL) return -1; PDATA_PUSH(self->stack, tuple, -1); @@ -5063,24 +5062,14 @@ } static int -load_counted_tuple(UnpicklerObject *self, int len) -{ - PyObject *tuple; - - tuple = PyTuple_New(len); - if (tuple == NULL) - return -1; - - while (--len >= 0) { - PyObject *item; - - PDATA_POP(self->stack, item); - if (item == NULL) - return -1; - PyTuple_SET_ITEM(tuple, len, item); - } - PDATA_PUSH(self->stack, tuple, -1); - return 0; +load_tuple(UnpicklerObject *self) +{ + Py_ssize_t i; + + if ((i = marker(self)) < 0) + return -1; + + return load_counted_tuple(self, Py_SIZE(self->stack) - i); } static int /storchaka@gmail.com