From: Serhiy Storchaka Date: Wed, 25 Nov 2015 13:01:53 +0000 (+0200) Subject: Issue #25725: Fixed a reference leak in pickle.loads() when unpickling X-Git-Tag: v3.4.4rc1~25 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a49de6be3669e4698ea55d22e0fdebb29be63f2e;p=python Issue #25725: Fixed a reference leak in pickle.loads() when unpickling invalid data including tuple instructions. --- diff --git a/Misc/NEWS b/Misc/NEWS index c98cd96151..347ce48021 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -106,6 +106,9 @@ Core and Builtins Library ------- +- Issue #25725: Fixed a reference leak in pickle.loads() when unpickling + invalid data including tuple instructions. + - Issue #25663: In the Readline completer, avoid listing duplicate global names, and search the global namespace before searching builtins. diff --git a/Modules/_pickle.c b/Modules/_pickle.c index d3bc420096..6ff16bba7d 100644 --- a/Modules/_pickle.c +++ b/Modules/_pickle.c @@ -4915,15 +4915,14 @@ load_counted_binunicode(UnpicklerObject *self, int nbytes) } static int -load_tuple(UnpicklerObject *self) +load_counted_tuple(UnpicklerObject *self, int len) { PyObject *tuple; - Py_ssize_t i; - if ((i = marker(self)) < 0) - return -1; + if (Py_SIZE(self->stack) < len) + return stack_underflow(); - tuple = Pdata_poptuple(self->stack, i); + tuple = Pdata_poptuple(self->stack, Py_SIZE(self->stack) - len); if (tuple == NULL) return -1; PDATA_PUSH(self->stack, tuple, -1); @@ -4931,24 +4930,14 @@ load_tuple(UnpicklerObject *self) } static int -load_counted_tuple(UnpicklerObject *self, int len) +load_tuple(UnpicklerObject *self) { - PyObject *tuple; + Py_ssize_t i; - tuple = PyTuple_New(len); - if (tuple == NULL) + if ((i = marker(self)) < 0) return -1; - while (--len >= 0) { - PyObject *item; - - PDATA_POP(self->stack, item); - if (item == NULL) - return -1; - PyTuple_SET_ITEM(tuple, len, item); - } - PDATA_PUSH(self->stack, tuple, -1); - return 0; + return load_counted_tuple(self, Py_SIZE(self->stack) - i); } static int