Title: pickle segfault or MemoryError on invalid input
Type: crash Stage:
Components: Library (Lib) Versions: Python 3.0
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: amaury.forgeotdarc, hagen, ocean-city
Priority: normal Keywords: patch

Created on 2008-11-11 15:07 by hagen, last changed 2008-11-11 20:05 by amaury.forgeotdarc. This issue is now closed.

File name Uploaded Description Edit
py3k_set_EOFError_when_invalid_result_size.patch ocean-city, 2008-11-11 16:45
Messages (3)
msg75743 - (view) Author: Hagen F├╝rstenau (hagen) Date: 2008-11-11 15:07
On a 64-bit build pickle.loads segfaults on the following bytes. (Same
for pickle.load on a corresponding file.) On a 32-bit build there is
only a MemoryError.

Python 3.0rc2 (r30rc2:67114, Nov 10 2008, 12:09:54)
[GCC 4.1.2 20070925 (Red Hat 4.1.2-27)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pickle
>>> pickle.loads(bytes([0x58, 0, 0, 0, 0x54]))
Segmentation fault
msg75748 - (view) Author: Hirokazu Yamamoto (ocean-city) * (Python committer) Date: 2008-11-11 16:45
See trunk/Modules/cPickle.c(609).

static Py_ssize_t
read_cStringIO(Unpicklerobject *self, char **s, Py_ssize_t  n)
	char *ptr;

	if (PycStringIO->cread((PyObject *)self->file, &ptr, n) != n) {
		return -1;

	*s = ptr;

	return n;

It's checking the length of returned string and if not match, raises
EOFError. But there is no corresponding code in py3k.

I hope attached patch will fix this issue.
msg75758 - (view) Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) * (Python committer) Date: 2008-11-11 20:05
Fixed in r67187. Thanks for the report, and for the patch!
Date User Action Args
2008-11-11 20:05:39amaury.forgeotdarcsetstatus: open -> closed
resolution: fixed
messages: + msg75758
nosy: + amaury.forgeotdarc
2008-11-11 16:45:42ocean-citysetfiles: + py3k_set_EOFError_when_invalid_result_size.patch
keywords: + patch
messages: + msg75748
nosy: + ocean-city
2008-11-11 15:07:50hagencreate