From da23056a3ed33d2ae69752f7d113059333176297 Mon Sep 17 00:00:00 2001
From: Victor Stinner <victor.stinner@gmail.com>
Date: Fri, 20 May 2016 21:16:59 +0200
Subject: Issue #27056: Fix _Unpickler_Read() to avoid integer overflow

---
 Modules/_pickle.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index e3aa7c5..1c9b9eb 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -1244,7 +1244,7 @@ _Unpickler_ReadImpl(UnpicklerObject *self, char **s, Py_ssize_t n)
    Returns -1 (with an exception set) on failure. On success, return the
    number of chars read. */
 #define _Unpickler_Read(self, s, n) \
-    (((self)->next_read_idx + (n) <= (self)->input_len)      \
+    (((n) <= (self)->input_len - (self)->next_read_idx)      \
      ? (*(s) = (self)->input_buffer + (self)->next_read_idx, \
         (self)->next_read_idx += (n),                        \
         (n))                                                 \
-- 
cgit v0.12