From: Serhiy Storchaka Date: Wed, 25 Nov 2015 13:07:49 +0000 (+0200) Subject: Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=80767a38c74318acbd6fc4bfe228a1d0c0556221;p=python Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling invalid data including tuple instructions. --- diff --git a/Misc/NEWS b/Misc/NEWS index 9a1402f9f0..4c1dc1a706 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #25725: Fixed a reference leak in cPickle.loads() when unpickling + invalid data including tuple instructions. + - Issue #25663: In the Readline completer, avoid listing duplicate global names, and search the global namespace before searching builtins. diff --git a/Modules/cPickle.c b/Modules/cPickle.c index b053aa5d3a..e1959613e1 100644 --- a/Modules/cPickle.c +++ b/Modules/cPickle.c @@ -3798,35 +3798,26 @@ load_binunicode(Unpicklerobject *self) static int -load_tuple(Unpicklerobject *self) +load_counted_tuple(Unpicklerobject *self, int len) { PyObject *tup; - Py_ssize_t i; - if ((i = marker(self)) < 0) return -1; - if (!( tup=Pdata_popTuple(self->stack, i))) return -1; + if (self->stack->length < len) + return stackUnderflow(); + + if (!(tup = Pdata_popTuple(self->stack, self->stack->length - len))) + return -1; PDATA_PUSH(self->stack, tup, -1); return 0; } static int -load_counted_tuple(Unpicklerobject *self, int len) +load_tuple(Unpicklerobject *self) { - PyObject *tup = PyTuple_New(len); - - if (tup == NULL) - return -1; - - while (--len >= 0) { - PyObject *element; + Py_ssize_t i; - PDATA_POP(self->stack, element); - if (element == NULL) - return -1; - PyTuple_SET_ITEM(tup, len, element); - } - PDATA_PUSH(self->stack, tup, -1); - return 0; + if ((i = marker(self)) < 0) return -1; + return load_counted_tuple(self, self->stack->length - i); } static int