mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Issue #12847: Fix a crash with negative PUT and LONG_BINPUT arguments in

Browse source 
the C pickle implementation.
This commit is contained in:
Antoine Pitrou 2011-08-30 00:28:40 +02:00
commit a514eb95f3
4 changed files with 31 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Lib/pickle.py
View file

@ -1154,16 +1154,22 @@ class _Unpickler:
def load_put(self): def load_put(self):
i = int(self.readline()[:-1]) i = int(self.readline()[:-1])
if i < 0:
raise ValueError("negative PUT argument")
self.memo[i] = self.stack[-1] self.memo[i] = self.stack[-1]
dispatch[PUT[0]] = load_put dispatch[PUT[0]] = load_put
def load_binput(self): def load_binput(self):
i = self.read(1)[0] i = self.read(1)[0]
if i < 0:
raise ValueError("negative BINPUT argument")
self.memo[i] = self.stack[-1] self.memo[i] = self.stack[-1]
dispatch[BINPUT[0]] = load_binput dispatch[BINPUT[0]] = load_binput
def load_long_binput(self): def load_long_binput(self):
i = mloads(b'i' + self.read(4)) i = mloads(b'i' + self.read(4))
if i < 0:
raise ValueError("negative LONG_BINPUT argument")
self.memo[i] = self.stack[-1] self.memo[i] = self.stack[-1]
dispatch[LONG_BINPUT[0]] = load_long_binput dispatch[LONG_BINPUT[0]] = load_long_binput

12
Lib/test/pickletester.py
View file

@ -1150,6 +1150,18 @@ class AbstractPickleTests(unittest.TestCase):
# On 32-bit builds, a BINUNICODE of 2**31 or more is refused # On 32-bit builds, a BINUNICODE of 2**31 or more is refused
self.check_negative_32b_binXXX(b'\x80\x03X\xff\xff\xff\xffxyzq\x00.') self.check_negative_32b_binXXX(b'\x80\x03X\xff\xff\xff\xffxyzq\x00.')
def test_negative_put(self):
# Issue #12847
dumped = b'Va\np-1\n.'
self.assertRaises(ValueError, self.loads, dumped)
def test_negative_32b_binput(self):
# Issue #12847
if sys.maxsize > 2**32:
self.skipTest("test is only meaningful on 32-bit builds")
dumped = b'\x80\x03X\x01\x00\x00\x00ar\xff\xff\xff\xff.'
self.assertRaises(ValueError, self.loads, dumped)
class BigmemPickleTests(unittest.TestCase): class BigmemPickleTests(unittest.TestCase):

3
Misc/NEWS
View file

@ -268,6 +268,9 @@ Core and Builtins
Library Library
------- -------
- Issue #12847: Fix a crash with negative PUT and LONG_BINPUT arguments in
the C pickle implementation.
- Issue #11564: Avoid crashes when trying to pickle huge objects or containers - Issue #11564: Avoid crashes when trying to pickle huge objects or containers
(more than 2**31 items). Instead, in most cases, an OverflowError is raised. (more than 2**31 items). Instead, in most cases, an OverflowError is raised.

11
Modules/_pickle.c
View file

@ -4873,8 +4873,12 @@ load_put(UnpicklerObject *self)
return -1; return -1;
idx = PyLong_AsSsize_t(key); idx = PyLong_AsSsize_t(key);
Py_DECREF(key); Py_DECREF(key);
if (idx == -1 && PyErr_Occurred()) if (idx < 0) {
if (!PyErr_Occurred())
PyErr_SetString(PyExc_ValueError,
"negative PUT argument");
return -1; return -1;
}
return _Unpickler_MemoPut(self, idx, value); return _Unpickler_MemoPut(self, idx, value);
} }
@ -4913,6 +4917,11 @@ load_long_binput(UnpicklerObject *self)
value = self->stack->data[Py_SIZE(self->stack) - 1]; value = self->stack->data[Py_SIZE(self->stack) - 1];
idx = calc_binsize(s, 4); idx = calc_binsize(s, 4);
if (idx < 0) {
PyErr_SetString(PyExc_ValueError,
"negative LONG_BINPUT argument");
return -1;
}
return _Unpickler_MemoPut(self, idx, value); return _Unpickler_MemoPut(self, idx, value);
} }