From: Sergey Fedoseev <fedoseev.sergey@gmail.com>
Date: Sat, 25 Aug 2018 10:41:58 +0000 (+0500)
Subject: bpo-34395: Don't free allocated memory on realloc fail in load_mark() in _pickle... 
X-Git-Tag: v3.8.0a1~1159
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=90555eca44a19c743d39b7fd2e05f7bc37fb5cb8;p=thirdparty%2FPython%2Fcpython.git

bpo-34395: Don't free allocated memory on realloc fail in load_mark() in _pickle.c. (GH-8788)
---

diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index 39628fcef5d5..2de70f5d9405 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -6289,24 +6289,14 @@ load_mark(UnpicklerObject *self)
      */
 
     if (self->num_marks >= self->marks_size) {
-        size_t alloc;
-
-        /* Use the size_t type to check for overflow. */
-        alloc = ((size_t)self->num_marks << 1) + 20;
-        if (alloc > (PY_SSIZE_T_MAX / sizeof(Py_ssize_t)) ||
-            alloc <= ((size_t)self->num_marks + 1)) {
-            PyErr_NoMemory();
-            return -1;
-        }
-
-        Py_ssize_t *marks_old = self->marks;
-        PyMem_RESIZE(self->marks, Py_ssize_t, alloc);
-        if (self->marks == NULL) {
-            PyMem_FREE(marks_old);
-            self->marks_size = 0;
+        size_t alloc = ((size_t)self->num_marks << 1) + 20;
+        Py_ssize_t *marks_new = self->marks;
+        PyMem_RESIZE(marks_new, Py_ssize_t, alloc);
+        if (marks_new == NULL) {
             PyErr_NoMemory();
             return -1;
         }
+        self->marks = marks_new;
         self->marks_size = (Py_ssize_t)alloc;
     }