diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2015-11-25 13:07:49 (GMT) |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2015-11-25 13:07:49 (GMT) |
| commit | 80767a38c74318acbd6fc4bfe228a1d0c0556221 (patch) | |
| tree | 70e46c52afde844baec9eae56f850ce7e4a798a1 /Modules | |
| parent | c9625c8e4b6f7057af23af534f8825c2f3f74d48 (diff) | |
| download | cpython-80767a38c74318acbd6fc4bfe228a1d0c0556221.zip cpython-80767a38c74318acbd6fc4bfe228a1d0c0556221.tar.gz cpython-80767a38c74318acbd6fc4bfe228a1d0c0556221.tar.bz2 | |
Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling
invalid data including tuple instructions.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/cPickle.c | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/Modules/cPickle.c b/Modules/cPickle.c index b053aa5..e195961 100644 --- a/Modules/cPickle.c +++ b/Modules/cPickle.c @@ -3798,35 +3798,26 @@ load_binunicode(Unpicklerobject *self) static int -load_tuple(Unpicklerobject *self) +load_counted_tuple(Unpicklerobject *self, int len) { PyObject *tup; - Py_ssize_t i; - if ((i = marker(self)) < 0) return -1; - if (!( tup=Pdata_popTuple(self->stack, i))) return -1; + if (self->stack->length < len) + return stackUnderflow(); + + if (!(tup = Pdata_popTuple(self->stack, self->stack->length - len))) + return -1; PDATA_PUSH(self->stack, tup, -1); return 0; } static int -load_counted_tuple(Unpicklerobject *self, int len) +load_tuple(Unpicklerobject *self) { - PyObject *tup = PyTuple_New(len); - - if (tup == NULL) - return -1; - - while (--len >= 0) { - PyObject *element; + Py_ssize_t i; - PDATA_POP(self->stack, element); - if (element == NULL) - return -1; - PyTuple_SET_ITEM(tup, len, element); - } - PDATA_PUSH(self->stack, tup, -1); - return 0; + if ((i = marker(self)) < 0) return -1; + return load_counted_tuple(self, self->stack->length - i); } static int |