Issue #25725: Fixed a reference leak in pickle.loads() when unpickling

invalid data including tuple instructions.
author: Serhiy Storchaka <storchaka@gmail.com> 2015-11-25 13:01:53 (GMT)
committer: Serhiy Storchaka <storchaka@gmail.com> 2015-11-25 13:01:53 (GMT)
commit: a49de6be3669e4698ea55d22e0fdebb29be63f2e (patch)
tree: ce1d0e35d71de6a04b8a8cb6b77e1cd18941c535
parent: 4f44d53770c42818a4d8ca4036e2602fff3a7c88 (diff)
download: cpython-a49de6be3669e4698ea55d22e0fdebb29be63f2e.zip
cpython-a49de6be3669e4698ea55d22e0fdebb29be63f2e.tar.gz
cpython-a49de6be3669e4698ea55d22e0fdebb29be63f2e.tar.bz2
2 files changed, 11 insertions, 19 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index c98cd96..347ce48 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -106,6 +106,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #25725: Fixed a reference leak in pickle.loads() when unpickling
+  invalid data including tuple instructions.
+
 - Issue #25663: In the Readline completer, avoid listing duplicate global
   names, and search the global namespace before searching builtins.
 
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index d3bc420..6ff16bb 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -4915,15 +4915,14 @@ load_counted_binunicode(UnpicklerObject *self, int nbytes)
 }
 
 static int
-load_tuple(UnpicklerObject *self)
+load_counted_tuple(UnpicklerObject *self, int len)
 {
     PyObject *tuple;
-    Py_ssize_t i;
 
-    if ((i = marker(self)) < 0)
-        return -1;
+    if (Py_SIZE(self->stack) < len)
+        return stack_underflow();
 
-    tuple = Pdata_poptuple(self->stack, i);
+    tuple = Pdata_poptuple(self->stack, Py_SIZE(self->stack) - len);
     if (tuple == NULL)
         return -1;
     PDATA_PUSH(self->stack, tuple, -1);
@@ -4931,24 +4930,14 @@ load_tuple(UnpicklerObject *self)
 }
 
 static int
-load_counted_tuple(UnpicklerObject *self, int len)
+load_tuple(UnpicklerObject *self)
 {
-    PyObject *tuple;
+    Py_ssize_t i;
 
-    tuple = PyTuple_New(len);
-    if (tuple == NULL)
+    if ((i = marker(self)) < 0)
         return -1;
 
-    while (--len >= 0) {
-        PyObject *item;
-
-        PDATA_POP(self->stack, item);
-        if (item == NULL)
-            return -1;
-        PyTuple_SET_ITEM(tuple, len, item);
-    }
-    PDATA_PUSH(self->stack, tuple, -1);
-    return 0;
+    return load_counted_tuple(self, Py_SIZE(self->stack) - i);
 }
 
 static int
author	Serhiy Storchaka <storchaka@gmail.com>	2015-11-25 13:01:53 (GMT)
committer	Serhiy Storchaka <storchaka@gmail.com>	2015-11-25 13:01:53 (GMT)
commit	a49de6be3669e4698ea55d22e0fdebb29be63f2e (patch)
tree	ce1d0e35d71de6a04b8a8cb6b77e1cd18941c535
parent	4f44d53770c42818a4d8ca4036e2602fff3a7c88 (diff)
download	cpython-a49de6be3669e4698ea55d22e0fdebb29be63f2e.zip cpython-a49de6be3669e4698ea55d22e0fdebb29be63f2e.tar.gz cpython-a49de6be3669e4698ea55d22e0fdebb29be63f2e.tar.bz2