From d9bf7f4198871132714cfe7d702baaa02206e9f1 Mon Sep 17 00:00:00 2001 From: "T. Wouters" Date: Mon, 4 Mar 2019 10:52:07 -0800 Subject: [2.7] bpo-36149 Fix potential use of uninitialized memory in cPickle (#12105) Fix off-by-one bug in cPickle that caused it to use uninitialised memory on truncated pickles read from FILE*s. --- .../2019-02-28-13-52-18.bpo-36149.GJdnh4.rst | 2 ++ Modules/cPickle.c | 13 ++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst diff --git a/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst b/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst new file mode 100644 index 0000000..672db6c --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst @@ -0,0 +1,2 @@ +Fix use of uninitialized memory in cPickle when reading a truncated pickle +from a file object. diff --git a/Modules/cPickle.c b/Modules/cPickle.c index 914ebb3..f7c6fec 100644 --- a/Modules/cPickle.c +++ b/Modules/cPickle.c @@ -586,12 +586,15 @@ readline_file(Unpicklerobject *self, char **s) while (1) { Py_ssize_t bigger; char *newbuf; - for (; i < (self->buf_size - 1); i++) { - if (feof(self->fp) || - (self->buf[i] = getc(self->fp)) == '\n') { - self->buf[i + 1] = '\0'; + while (i < (self->buf_size - 1)) { + int newchar = getc(self->fp); + if (newchar != EOF) { + self->buf[i++] = newchar; + } + if (newchar == EOF || newchar == '\n') { + self->buf[i] = '\0'; *s = self->buf; - return i + 1; + return i; } } if (self->buf_size > (PY_SSIZE_T_MAX >> 1)) { -- cgit v0.12