diff options
author | Serhiy Storchaka <storchaka@gmail.com> | 2013-07-11 19:28:18 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2013-07-11 19:28:18 (GMT) |
commit | f9e6672ae8044f9dbcbafe98a6b63ab30189770e (patch) | |
tree | 6242914317002844fbb1b7645fa5f458d67e33ad /Python/marshal.c | |
parent | 4fcf1b2bb74b1e1ea736951b710a6a69cbcd2963 (diff) | |
parent | 3641a74e1c03ce153042d2c21639e5b6b9604f3b (diff) | |
download | cpython-f9e6672ae8044f9dbcbafe98a6b63ab30189770e.zip cpython-f9e6672ae8044f9dbcbafe98a6b63ab30189770e.tar.gz cpython-f9e6672ae8044f9dbcbafe98a6b63ab30189770e.tar.bz2 |
Issue #17872: Fix a segfault in marshal.load() when input stream returns
more bytes than requested.
Diffstat (limited to 'Python/marshal.c')
-rw-r--r-- | Python/marshal.c | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/Python/marshal.c b/Python/marshal.c index a45e148..1997e19 100644 --- a/Python/marshal.c +++ b/Python/marshal.c @@ -570,8 +570,17 @@ r_string(char *s, Py_ssize_t n, RFILE *p) else { read = (int)PyBytes_GET_SIZE(data); if (read > 0) { - ptr = PyBytes_AS_STRING(data); - memcpy(s, ptr, read); + if (read > n) { + PyErr_Format(PyExc_ValueError, + "read() returned too much data: " + "%zd bytes requested, %zd returned", + n, read); + read = -1; + } + else { + ptr = PyBytes_AS_STRING(data); + memcpy(s, ptr, read); + } } } Py_DECREF(data); @@ -841,11 +850,13 @@ r_object(RFILE *p) double dx; retval = NULL; n = r_byte(p); - if (n == EOF || r_string(buf, n, p) != n) { + if (n == EOF) { PyErr_SetString(PyExc_EOFError, "EOF read where object expected"); break; } + if (r_string(buf, n, p) != n) + break; buf[n] = '\0'; dx = PyOS_string_to_double(buf, NULL, NULL); if (dx == -1.0 && PyErr_Occurred()) @@ -860,8 +871,6 @@ r_object(RFILE *p) unsigned char buf[8]; double x; if (r_string((char*)buf, 8, p) != 8) { - PyErr_SetString(PyExc_EOFError, - "EOF read where object expected"); retval = NULL; break; } @@ -881,21 +890,25 @@ r_object(RFILE *p) Py_complex c; retval = NULL; n = r_byte(p); - if (n == EOF || r_string(buf, n, p) != n) { + if (n == EOF) { PyErr_SetString(PyExc_EOFError, "EOF read where object expected"); break; } + if (r_string(buf, n, p) != n) + break; buf[n] = '\0'; c.real = PyOS_string_to_double(buf, NULL, NULL); if (c.real == -1.0 && PyErr_Occurred()) break; n = r_byte(p); - if (n == EOF || r_string(buf, n, p) != n) { + if (n == EOF) { PyErr_SetString(PyExc_EOFError, "EOF read where object expected"); break; } + if (r_string(buf, n, p) != n) + break; buf[n] = '\0'; c.imag = PyOS_string_to_double(buf, NULL, NULL); if (c.imag == -1.0 && PyErr_Occurred()) @@ -910,8 +923,6 @@ r_object(RFILE *p) unsigned char buf[8]; Py_complex c; if (r_string((char*)buf, 8, p) != 8) { - PyErr_SetString(PyExc_EOFError, - "EOF read where object expected"); retval = NULL; break; } @@ -921,8 +932,6 @@ r_object(RFILE *p) break; } if (r_string((char*)buf, 8, p) != 8) { - PyErr_SetString(PyExc_EOFError, - "EOF read where object expected"); retval = NULL; break; } @@ -954,8 +963,6 @@ r_object(RFILE *p) } if (r_string(PyBytes_AS_STRING(v), n, p) != n) { Py_DECREF(v); - PyErr_SetString(PyExc_EOFError, - "EOF read where object expected"); retval = NULL; break; } @@ -986,8 +993,6 @@ r_object(RFILE *p) } if (r_string(buffer, n, p) != n) { PyMem_DEL(buffer); - PyErr_SetString(PyExc_EOFError, - "EOF read where object expected"); retval = NULL; break; } |