summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2015-11-25 13:06:49 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2015-11-25 13:06:49 (GMT)
commitc5f3b4285a8f3f90305d777a88a856a623c22cb1 (patch)
tree70ccaf2dc6bbaae8b30016aa441a32ec9392b677
parent46cc4a8f320d252c12edeeaae1f0ac87b155399d (diff)
parenta49de6be3669e4698ea55d22e0fdebb29be63f2e (diff)
downloadcpython-c5f3b4285a8f3f90305d777a88a856a623c22cb1.zip
cpython-c5f3b4285a8f3f90305d777a88a856a623c22cb1.tar.gz
cpython-c5f3b4285a8f3f90305d777a88a856a623c22cb1.tar.bz2
Issue #25725: Fixed a reference leak in pickle.loads() when unpickling
invalid data including tuple instructions.
-rw-r--r--Misc/NEWS3
-rw-r--r--Modules/_pickle.c27
2 files changed, 11 insertions, 19 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index b4ac095..97e2ecd 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
Library
-------
+- Issue #25725: Fixed a reference leak in pickle.loads() when unpickling
+ invalid data including tuple instructions.
+
- Issue #25663: In the Readline completer, avoid listing duplicate global
names, and search the global namespace before searching builtins.
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index 05afd06..6125c25 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -4984,15 +4984,14 @@ load_counted_binunicode(UnpicklerObject *self, int nbytes)
}
static int
-load_tuple(UnpicklerObject *self)
+load_counted_tuple(UnpicklerObject *self, int len)
{
PyObject *tuple;
- Py_ssize_t i;
- if ((i = marker(self)) < 0)
- return -1;
+ if (Py_SIZE(self->stack) < len)
+ return stack_underflow();
- tuple = Pdata_poptuple(self->stack, i);
+ tuple = Pdata_poptuple(self->stack, Py_SIZE(self->stack) - len);
if (tuple == NULL)
return -1;
PDATA_PUSH(self->stack, tuple, -1);
@@ -5000,24 +4999,14 @@ load_tuple(UnpicklerObject *self)
}
static int
-load_counted_tuple(UnpicklerObject *self, int len)
+load_tuple(UnpicklerObject *self)
{
- PyObject *tuple;
+ Py_ssize_t i;
- tuple = PyTuple_New(len);
- if (tuple == NULL)
+ if ((i = marker(self)) < 0)
return -1;
- while (--len >= 0) {
- PyObject *item;
-
- PDATA_POP(self->stack, item);
- if (item == NULL)
- return -1;
- PyTuple_SET_ITEM(tuple, len, item);
- }
- PDATA_PUSH(self->stack, tuple, -1);
- return 0;
+ return load_counted_tuple(self, Py_SIZE(self->stack) - i);
}
static int