Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling

invalid data including tuple instructions.

diff --git a/Misc/NEWS b/Misc/NEWS
index 9a1402f9f0e3c2cc3cdbb98c493dcc0107e23683..4c1dc1a706d20fccda4c2f1b27fa32fbd4c63ff1 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling
+  invalid data including tuple instructions.
+
 - Issue #25663: In the Readline completer, avoid listing duplicate global
   names, and search the global namespace before searching builtins.
 

diff --git a/Modules/cPickle.c b/Modules/cPickle.c
index b053aa5d3a8b50981994daeff83343046235a4b5..e1959613e18b06792e6880d3630fd4b5ab15be7a 100644 (file)
--- a/Modules/cPickle.c
+++ b/Modules/cPickle.c
@@ -3798,35 +3798,26 @@ load_binunicode(Unpicklerobject *self)
 
 
 static int
-load_tuple(Unpicklerobject *self)
+load_counted_tuple(Unpicklerobject *self, int len)
 {
     PyObject *tup;
-    Py_ssize_t i;
 
-    if ((i = marker(self)) < 0) return -1;
-    if (!( tup=Pdata_popTuple(self->stack, i)))  return -1;
+    if (self->stack->length < len)
+        return stackUnderflow();
+
+    if (!(tup = Pdata_popTuple(self->stack, self->stack->length - len)))
+        return -1;
     PDATA_PUSH(self->stack, tup, -1);
     return 0;
 }
 
 static int
-load_counted_tuple(Unpicklerobject *self, int len)
+load_tuple(Unpicklerobject *self)
 {
-    PyObject *tup = PyTuple_New(len);
-
-    if (tup == NULL)
-        return -1;
-
-    while (--len >= 0) {
-        PyObject *element;
+    Py_ssize_t i;
 
-        PDATA_POP(self->stack, element);
-        if (element == NULL)
-            return -1;
-        PyTuple_SET_ITEM(tup, len, element);
-    }
-    PDATA_PUSH(self->stack, tup, -1);
-    return 0;
+    if ((i = marker(self)) < 0) return -1;
+    return load_counted_tuple(self, self->stack->length - i);
 }
 
 static int