the C pickle implementation.
def load_put(self):
i = int(self.readline()[:-1])
+ if i < 0:
+ raise ValueError("negative PUT argument")
self.memo[i] = self.stack[-1]
dispatch[PUT[0]] = load_put
def load_binput(self):
i = self.read(1)[0]
+ if i < 0:
+ raise ValueError("negative BINPUT argument")
self.memo[i] = self.stack[-1]
dispatch[BINPUT[0]] = load_binput
def load_long_binput(self):
i = mloads(b'i' + self.read(4))
+ if i < 0:
+ raise ValueError("negative LONG_BINPUT argument")
self.memo[i] = self.stack[-1]
dispatch[LONG_BINPUT[0]] = load_long_binput
# On 32-bit builds, a BINUNICODE of 2**31 or more is refused
self.check_negative_32b_binXXX(b'\x80\x03X\xff\xff\xff\xffxyzq\x00.')
+ def test_negative_put(self):
+ # Issue #12847
+ dumped = b'Va\np-1\n.'
+ self.assertRaises(ValueError, self.loads, dumped)
+
+ def test_negative_32b_binput(self):
+ # Issue #12847
+ if sys.maxsize > 2**32:
+ self.skipTest("test is only meaningful on 32-bit builds")
+ dumped = b'\x80\x03X\x01\x00\x00\x00ar\xff\xff\xff\xff.'
+ self.assertRaises(ValueError, self.loads, dumped)
+
class BigmemPickleTests(unittest.TestCase):
Library
-------
+- Issue #12847: Fix a crash with negative PUT and LONG_BINPUT arguments in
+ the C pickle implementation.
+
- Issue #11564: Avoid crashes when trying to pickle huge objects or containers
(more than 2**31 items). Instead, in most cases, an OverflowError is raised.
return -1;
idx = PyLong_AsSsize_t(key);
Py_DECREF(key);
- if (idx == -1 && PyErr_Occurred())
+ if (idx < 0) {
+ if (!PyErr_Occurred())
+ PyErr_SetString(PyExc_ValueError,
+ "negative PUT argument");
return -1;
+ }
return _Unpickler_MemoPut(self, idx, value);
}
value = self->stack->data[Py_SIZE(self->stack) - 1];
idx = calc_binsize(s, 4);
+ if (idx < 0) {
+ PyErr_SetString(PyExc_ValueError,
+ "negative LONG_BINPUT argument");
+ return -1;
+ }
return _Unpickler_MemoPut(self, idx, value);
}
projects / python / commitdiff