diff options
| -rw-r--r-- | Lib/test/test_marshal.py | 9 | ||||
| -rw-r--r-- | Python/marshal.c | 4 |
2 files changed, 13 insertions, 0 deletions
diff --git a/Lib/test/test_marshal.py b/Lib/test/test_marshal.py index b62e2d8..f87495b 100644 --- a/Lib/test/test_marshal.py +++ b/Lib/test/test_marshal.py @@ -211,6 +211,15 @@ class BugsTestCase(unittest.TestCase): self.assertEquals(marshal.loads(marshal.dumps(5, 0)), 5) self.assertEquals(marshal.loads(marshal.dumps(5, 1)), 5) + def test_fuzz(self): + # simple test that it's at least not *totally* trivial to + # crash from bad marshal data + for c in [chr(i) for i in range(256)]: + try: + marshal.loads(c) + except Exception: + pass + def test_main(): test_support.run_unittest(IntTestCase, FloatTestCase, diff --git a/Python/marshal.c b/Python/marshal.c index 6c65700..7f38a46 100644 --- a/Python/marshal.c +++ b/Python/marshal.c @@ -648,6 +648,10 @@ r_object(RFILE *p) case TYPE_STRINGREF: n = r_long(p); + if (n < 0 || n >= PyList_GET_SIZE(p->strings)) { + PyErr_SetString(PyExc_ValueError, "bad marshal data"); + return NULL; + } v = PyList_GET_ITEM(p->strings, n); Py_INCREF(v); return v; |