classification
Title: cPickle "binunicode" segmentation fault
Type: Stage:
Components: Versions: Python 2.6, Python 2.5, Python 2.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: amaury.forgeotdarc Nosy List: amaury.forgeotdarc, boogenhagn (2)
Priority: Keywords patch

Created on 2009-07-23 15:15 by boogenhagn, last changed 2009-07-23 22:36 by amaury.forgeotdarc.

Files
File name Uploaded Description Edit Remove
pickle_badinput.patch amaury.forgeotdarc, 2009-07-23 16:44
Messages (3)
msg90847 - (view) Author: Patrick Strawderman (boogenhagn) Date: 2009-07-23 15:15 
When reading from a file-like object (like StringIO), cPickle uses the
read_other function, which doesn't check that the number of bytes
requested is the actual number of bytes read (like the read_cStringIO
function does).

Functions like load_binunicode falsely assume that the number of bytes
specified after the BINUNICODE instruction are the actual number of
bytes read.  This can eventually lead to a segmentation fault, as
demonstrated in the following example:

import cPickle, StringIO

cPickle.Unpickler(StringIO.StringIO("X''.")).load()


I have tested and reproduced this on Python 2.4.6 (OS X 32-bit), 2.5.1
(OS X 32-bit), and 2.6.2 (Linux 64-bit).

I have not tested Python 3.x, but I believe this problem may be akin to
the one in issue4298.
msg90848 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) Date: 2009-07-23 16:44 
Attached patch fixes the problem.
msg90865 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) Date: 2009-07-23 22:36 
Fixed in r74189 (trunk) and r74190 (2.6)
Thanks for the report!
History
Date User Action Args
2009-07-23 22:36:19amaury.forgeotdarcsetstatus: open -> closed
resolution: fixed
messages: + msg90865
2009-07-23 16:44:08amaury.forgeotdarcsetfiles: + pickle_badinput.patch

nosy: + amaury.forgeotdarc
messages: + msg90848

assignee: amaury.forgeotdarc
keywords: + patch
2009-07-23 15:15:18boogenhagncreate