Created on 2009-07-23 15:15 by boogenhagn, last changed 2009-07-23 22:36 by amaury.forgeotdarc. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| pickle_badinput.patch | amaury.forgeotdarc, 2009-07-23 16:44 | |||
| Messages (3) | |||
|---|---|---|---|
| msg90847 - (view) | Author: Patrick Strawderman (boogenhagn) | Date: 2009-07-23 15:15 | |
When reading from a file-like object (like StringIO), cPickle uses the
read_other function, which doesn't check that the number of bytes
requested is the actual number of bytes read (like the read_cStringIO
function does).
Functions like load_binunicode falsely assume that the number of bytes
specified after the BINUNICODE instruction are the actual number of
bytes read. This can eventually lead to a segmentation fault, as
demonstrated in the following example:
import cPickle, StringIO
cPickle.Unpickler(StringIO.StringIO("X''.")).load()
I have tested and reproduced this on Python 2.4.6 (OS X 32-bit), 2.5.1
(OS X 32-bit), and 2.6.2 (Linux 64-bit).
I have not tested Python 3.x, but I believe this problem may be akin to
the one in issue4298.
|
|||
| msg90848 - (view) | Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) *  |
Date: 2009-07-23 16:44 | |
Attached patch fixes the problem. |
|||
| msg90865 - (view) | Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * |
Date: 2009-07-23 22:36 | |
Fixed in r74189 (trunk) and r74190 (2.6) Thanks for the report! |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2009-07-23 22:36:19 | amaury.forgeotdarc | set | status: open -> closed resolution: fixed messages: + msg90865 |
| 2009-07-23 16:44:08 | amaury.forgeotdarc | set | files:
+ pickle_badinput.patch nosy: + amaury.forgeotdarc messages: + msg90848 assignee: amaury.forgeotdarc keywords: + patch |
| 2009-07-23 15:15:18 | boogenhagn | create | |