From a49de6be3669e4698ea55d22e0fdebb29be63f2e Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Wed, 25 Nov 2015 15:01:53 +0200 Subject: Issue #25725: Fixed a reference leak in pickle.loads() when unpickling invalid data including tuple instructions. --- Misc/NEWS | 3 +++ Modules/_pickle.c | 27 ++++++++------------------- 2 files changed, 11 insertions(+), 19 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index c98cd96..347ce48 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -106,6 +106,9 @@ Core and Builtins Library ------- +- Issue #25725: Fixed a reference leak in pickle.loads() when unpickling + invalid data including tuple instructions. + - Issue #25663: In the Readline completer, avoid listing duplicate global names, and search the global namespace before searching builtins. diff --git a/Modules/_pickle.c b/Modules/_pickle.c index d3bc420..6ff16bb 100644 --- a/Modules/_pickle.c +++ b/Modules/_pickle.c @@ -4915,15 +4915,14 @@ load_counted_binunicode(UnpicklerObject *self, int nbytes) } static int -load_tuple(UnpicklerObject *self) +load_counted_tuple(UnpicklerObject *self, int len) { PyObject *tuple; - Py_ssize_t i; - if ((i = marker(self)) < 0) - return -1; + if (Py_SIZE(self->stack) < len) + return stack_underflow(); - tuple = Pdata_poptuple(self->stack, i); + tuple = Pdata_poptuple(self->stack, Py_SIZE(self->stack) - len); if (tuple == NULL) return -1; PDATA_PUSH(self->stack, tuple, -1); @@ -4931,24 +4930,14 @@ load_tuple(UnpicklerObject *self) } static int -load_counted_tuple(UnpicklerObject *self, int len) +load_tuple(UnpicklerObject *self) { - PyObject *tuple; + Py_ssize_t i; - tuple = PyTuple_New(len); - if (tuple == NULL) + if ((i = marker(self)) < 0) return -1; - while (--len >= 0) { - PyObject *item; - - PDATA_POP(self->stack, item); - if (item == NULL) - return -1; - PyTuple_SET_ITEM(tuple, len, item); - } - PDATA_PUSH(self->stack, tuple, -1); - return 0; + return load_counted_tuple(self, Py_SIZE(self->stack) - i); } static int -- cgit v0.12