From f2ca5af43919e790f4e1b5dc3edeac6561e6e19b Mon Sep 17 00:00:00 2001 From: "Michael W. Hudson" Date: Mon, 13 Jun 2005 18:28:46 +0000 Subject: Fix bug [ 1180997 ] lax error-checking in new-in-2.4 marshal stuff which I'd assigned to Martin, but actually turned out to be easy to fix. Also, a test. --- Lib/test/test_marshal.py | 9 +++++++++ Python/marshal.c | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/Lib/test/test_marshal.py b/Lib/test/test_marshal.py index b62e2d8..f87495b 100644 --- a/Lib/test/test_marshal.py +++ b/Lib/test/test_marshal.py @@ -211,6 +211,15 @@ class BugsTestCase(unittest.TestCase): self.assertEquals(marshal.loads(marshal.dumps(5, 0)), 5) self.assertEquals(marshal.loads(marshal.dumps(5, 1)), 5) + def test_fuzz(self): + # simple test that it's at least not *totally* trivial to + # crash from bad marshal data + for c in [chr(i) for i in range(256)]: + try: + marshal.loads(c) + except Exception: + pass + def test_main(): test_support.run_unittest(IntTestCase, FloatTestCase, diff --git a/Python/marshal.c b/Python/marshal.c index 6c65700..7f38a46 100644 --- a/Python/marshal.c +++ b/Python/marshal.c @@ -648,6 +648,10 @@ r_object(RFILE *p) case TYPE_STRINGREF: n = r_long(p); + if (n < 0 || n >= PyList_GET_SIZE(p->strings)) { + PyErr_SetString(PyExc_ValueError, "bad marshal data"); + return NULL; + } v = PyList_GET_ITEM(p->strings, n); Py_INCREF(v); return v; -- cgit v0.12