From a45cb45965e4afa035d5069d30a579898b79f1e3 Mon Sep 17 00:00:00 2001
From: Guido van Rossum <guido@python.org>
Date: Mon, 8 Jun 1998 20:27:29 +0000
Subject: When unmarshalling, add test for negative lengths on strings, tuples
 and lists; if the size is negative, raise an exception.  Also raise an
 exception when an undefined type is found -- all this to increase the chance
 that garbage input causes an exception instead of a core dump.

---
 Python/marshal.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/Python/marshal.c b/Python/marshal.c
index 3664734..3d5f2e5 100644
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -463,6 +463,10 @@ r_object(p)
 	
 	case TYPE_STRING:
 		n = r_long(p);
+		if (n < 0) {
+			PyErr_SetString(PyExc_ValueError, "bad marshal data");
+			return NULL;
+		}
 		v = PyString_FromStringAndSize((char *)NULL, n);
 		if (v != NULL) {
 			if (r_string(PyString_AsString(v), (int)n, p) != n) {
@@ -476,6 +480,10 @@ r_object(p)
 	
 	case TYPE_TUPLE:
 		n = r_long(p);
+		if (n < 0) {
+			PyErr_SetString(PyExc_ValueError, "bad marshal data");
+			return NULL;
+		}
 		v = PyTuple_New((int)n);
 		if (v == NULL)
 			return v;
@@ -492,6 +500,10 @@ r_object(p)
 	
 	case TYPE_LIST:
 		n = r_long(p);
+		if (n < 0) {
+			PyErr_SetString(PyExc_ValueError, "bad marshal data");
+			return NULL;
+		}
 		v = PyList_New((int)n);
 		if (v == NULL)
 			return v;
@@ -571,8 +583,8 @@ r_object(p)
 	default:
 		/* Bogus data got written, which isn't ideal.
 		   This will let you keep working and recover. */
-		Py_INCREF(Py_None);
-		return Py_None;
+		PyErr_SetString(PyExc_ValueError, "bad marshal data");
+		return NULL;
 	
 	}
 }
-- 
cgit v0.12