From: Akshat Gupta <akshat.gupta24@gmail.com>
Date: Sun, 29 Jun 2025 07:07:24 +0000 (+0530)
Subject: gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054)
X-Git-Tag: v3.15.0a1~1146
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=30ba03ea8ed98522b0500d6856b22727c88e818f;p=thirdparty%2FPython%2Fcpython.git

gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054)

Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
---

diff --git a/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
new file mode 100644
index 000000000000..93caed3aa3b9
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
@@ -0,0 +1 @@
+:mod:`marshal`: fix a possible crash when deserializing :class:`slice` objects.
diff --git a/Python/marshal.c b/Python/marshal.c
index afbef6ee6796..15dd25d6268d 100644
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -1656,6 +1656,9 @@ r_object(RFILE *p)
     case TYPE_SLICE:
     {
         Py_ssize_t idx = r_ref_reserve(flag, p);
+        if (idx < 0) {
+            break;
+        }
         PyObject *stop = NULL;
         PyObject *step = NULL;
         PyObject *start = r_object(p);