Title: A possible null pointer dereference in _pickle.c's save_reduce()
Type: crash Stage: patch review
Components: Extension Modules Versions: Python 3.8, Python 3.7, Python 3.6
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ZackerySpytz, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2018-10-15 06:44 by ZackerySpytz, last changed 2018-11-08 09:51 by serhiy.storchaka.

Pull Requests
URL Status Linked Edit
PR 9886 open ZackerySpytz, 2018-10-15 06:47
Messages (5)
msg327732 - (view) Author: Zackery Spytz (ZackerySpytz) * Date: 2018-10-15 06:44
The get_class() call in save_reduce() is not checked for failure.
msg327733 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2018-10-15 06:59
It is checked, and there is a comment about this.

    p = obj_class != cls;    /* true iff a problem */
msg327739 - (view) Author: Zackery Spytz (ZackerySpytz) * Date: 2018-10-15 09:19
It is not properly checked: Py_DECREF() is always called on the result of get_class(), but get_class() can return NULL.
msg327960 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2018-10-18 10:32
You are right. Although, get_class() can return NULL without set an exception. We have to set an exception in such case (the same exception as for `obj_class != cls` looks appropriate).
msg329465 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2018-11-08 09:51
I was wrong. get_class() returns NULL when and only when an exception is set.
Date User Action Args
2018-11-08 09:51:49serhiy.storchakasetmessages: + msg329465
2018-10-18 10:32:46serhiy.storchakasetmessages: + msg327960
2018-10-15 09:19:51ZackerySpytzsetmessages: + msg327739
2018-10-15 06:59:21serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg327733
2018-10-15 06:47:00ZackerySpytzsetkeywords: + patch
stage: patch review
pull_requests: + pull_request9249
2018-10-15 06:44:10ZackerySpytzcreate