classification
Title: cPickle.load() segfault on invalid data
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 2.6
process
Status: closed Resolution: duplicate
Dependencies: Superseder: cPickle: stack underflow in load_pop()
View: 7455
Assigned To: Nosy List: dhelfman, eric.smith, r.david.murray
Priority: normal Keywords:

Created on 2010-01-22 19:24 by dhelfman, last changed 2010-01-22 19:54 by eric.smith. This issue is now closed.

Messages (3)
msg98157 - (view) Author: Dan Helfman (dhelfman) Date: 2010-01-22 19:24
The following code causes Python to segfault:

>>> import cPickle
>>> import cStringIO as io
>>> cPickle.load( io.StringIO( '0' ) )

Note that if the string is changed from '0' to '1', then the crash does not occur and an UnpicklingError is properly raised.

This is in MSYS on Windows XP with Python 2.6.4 from python.org:

$ gdb python
GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-mingw32"...(no debugging symbols found)...
(gdb) r -c "import cPickle; import cStringIO as io;  cPickle.load( io.StringIO( '0' ) )"
Starting program: c:\python26/python.exe -c "import cPickle; import cStringIO as io;  cPickle.load( io.StringIO( '0' ) )"

Program received signal SIGSEGV, Segmentation fault.
0x1e09ada3 in ?? ()
(gdb) bt
#0  0x1e09ada3 in ?? ()
#1  0x1e0e1fd5 in ?? ()
#2  0x00a4e290 in ?? ()
#3  0x1e1d1d30 in ?? ()
Cannot access memory at address 0x3

And this is on Mac OS X 10.5 with Python 2.6.4 from python.org:

$ gdb python
GNU gdb 6.3.50-20050815 (Apple version gdb-962) (Sat Jul 26 08:14:40 UTC 2008)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...Reading symbols for shared libraries .. done

(gdb) r -c "import cPickle; import cStringIO as io; cPickle.load( io.StringIO( '0' ) )"
Starting program: /System/Library/Frameworks/Python.framework/Versions/2.6/bin/python -c "import cPickle; import cStringIO as io; cPickle.load( io.StringIO( '0' ) )"
Reading symbols for shared libraries +. done

Program received signal SIGTRAP, Trace/breakpoint trap.
0x8fe01010 in __dyld__dyld_start ()
(gdb) bt
#0  0x8fe01010 in __dyld__dyld_start ()
Cannot access memory at address 0x4

The same crash occurs on the Mac when using Apple's Python 2.5.1. However, on Linux with Debian stable's Python 2.5.2, I just get an UnpicklingError (stack underflow) exception without a crash.
msg98159 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2010-01-22 19:52
This is already fixed, I believe as part of a general cleanup of one of the CAPI macros.  On current 2.6 branch and on trunk you now get an unpickling stack underflow in this case.
msg98160 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2010-01-22 19:54
This is a duplicate of issue 7455.
History
Date User Action Args
2010-01-22 19:54:08eric.smithsetnosy: + eric.smith
messages: + msg98160

superseder: cPickle: stack underflow in load_pop()
components: + Extension Modules, - None
resolution: out of date -> duplicate
2010-01-22 19:52:11r.david.murraysetstatus: open -> closed
priority: normal


nosy: + r.david.murray
messages: + msg98159
resolution: out of date
stage: resolved
2010-01-22 19:29:23dhelfmansettitle: cPickle segfault on invalid data -> cPickle.load() segfault on invalid data
2010-01-22 19:24:14dhelfmancreate