[3.14] gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054) (GH-136092)

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Sun, 29 Jun 2025 07:36:04 +0000 (09:36 +0200)

committer GitHub <noreply@github.com>

Sun, 29 Jun 2025 07:36:04 +0000 (07:36 +0000)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Sun, 29 Jun 2025 07:36:04 +0000 (09:36 +0200)
committer GitHub <noreply@github.com>
Sun, 29 Jun 2025 07:36:04 +0000 (07:36 +0000)
diff --git a/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst

new file mode 100644 (file)

index 0000000..93caed3
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
@@ -0,0 +1 @@
+:mod:`marshal`: fix a possible crash when deserializing :class:`slice` objects.
diff --git a/Python/marshal.c b/Python/marshal.c

index b39c1a5b1ade50e33673eaac0a7f5801fb880b33..a0f3e0a9f5668cd9d716007e633bc18cce35eba0 100644 (file)
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -1656,6 +1656,9 @@ r_object(RFILE *p)
      case TYPE_SLICE:
      {
          Py_ssize_t idx = r_ref_reserve(flag, p);
+        if (idx < 0) {
+            break;
+        }
          PyObject *stop = NULL;
          PyObject *step = NULL;
          PyObject *start = r_object(p);
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Sun, 29 Jun 2025 07:36:04 +0000 (09:36 +0200)
committer	GitHub <noreply@github.com>
	Sun, 29 Jun 2025 07:36:04 +0000 (07:36 +0000)
Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst	[new file with mode: 0644]	patch \| blob
Python/marshal.c		patch \| blob \| blame \| history