From 80767a38c74318acbd6fc4bfe228a1d0c0556221 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Wed, 25 Nov 2015 15:07:49 +0200 Subject: [PATCH] Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling invalid data including tuple instructions. --- Misc/NEWS | 3 +++ Modules/cPickle.c | 29 ++++++++++------------------- 2 files changed, 13 insertions(+), 19 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 9a1402f9f0e3..4c1dc1a706d2 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling + invalid data including tuple instructions. + - Issue #25663: In the Readline completer, avoid listing duplicate global names, and search the global namespace before searching builtins. diff --git a/Modules/cPickle.c b/Modules/cPickle.c index b053aa5d3a8b..e1959613e18b 100644 --- a/Modules/cPickle.c +++ b/Modules/cPickle.c @@ -3798,35 +3798,26 @@ load_binunicode(Unpicklerobject *self) static int -load_tuple(Unpicklerobject *self) +load_counted_tuple(Unpicklerobject *self, int len) { PyObject *tup; - Py_ssize_t i; - if ((i = marker(self)) < 0) return -1; - if (!( tup=Pdata_popTuple(self->stack, i))) return -1; + if (self->stack->length < len) + return stackUnderflow(); + + if (!(tup = Pdata_popTuple(self->stack, self->stack->length - len))) + return -1; PDATA_PUSH(self->stack, tup, -1); return 0; } static int -load_counted_tuple(Unpicklerobject *self, int len) +load_tuple(Unpicklerobject *self) { - PyObject *tup = PyTuple_New(len); - - if (tup == NULL) - return -1; - - while (--len >= 0) { - PyObject *element; + Py_ssize_t i; - PDATA_POP(self->stack, element); - if (element == NULL) - return -1; - PyTuple_SET_ITEM(tup, len, element); - } - PDATA_PUSH(self->stack, tup, -1); - return 0; + if ((i = marker(self)) < 0) return -1; + return load_counted_tuple(self, self->stack->length - i); } static int -- 2.47.3