Fix bug

[ 1180997 ] lax error-checking in new-in-2.4 marshal stuff

which I'd assigned to Martin, but actually turned out to be easy to fix.

Also, a test.

diff --git a/Lib/test/test_marshal.py b/Lib/test/test_marshal.py
index b62e2d854a18f886d8cfc222be4295c8b107a179..f87495bae2dde27969b323105bf69f868e2423e1 100644 (file)
--- a/Lib/test/test_marshal.py
+++ b/Lib/test/test_marshal.py
@@ -211,6 +211,15 @@ class BugsTestCase(unittest.TestCase):
         self.assertEquals(marshal.loads(marshal.dumps(5, 0)), 5)
         self.assertEquals(marshal.loads(marshal.dumps(5, 1)), 5)
 
+    def test_fuzz(self):
+        # simple test that it's at least not *totally* trivial to
+        # crash from bad marshal data
+        for c in [chr(i) for i in range(256)]:
+            try:
+                marshal.loads(c)
+            except Exception:
+                pass
+
 def test_main():
     test_support.run_unittest(IntTestCase,
                               FloatTestCase,

diff --git a/Python/marshal.c b/Python/marshal.c
index 6c6570096673db4683b9f24f98b51107c11bdfa4..7f38a467f9694c2f9c4d6ec27b66e101129c53a8 100644 (file)
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -648,6 +648,10 @@ r_object(RFILE *p)
 
        case TYPE_STRINGREF:
                n = r_long(p);
+               if (n < 0 || n >= PyList_GET_SIZE(p->strings)) {
+                       PyErr_SetString(PyExc_ValueError, "bad marshal data");
+                       return NULL;
+               }
                v = PyList_GET_ITEM(p->strings, n);
                Py_INCREF(v);
                return v;