#4298: pickle.load() can segfault on invalid or truncated input.
Patch and test by Hirokazu Yamamoto.
diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py
index 8519fb5..c7c89d1 100644
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@@ -1032,6 +1032,11 @@
self.assertRaises(pickle.PicklingError, BadPickler().dump, 0)
self.assertRaises(pickle.UnpicklingError, BadUnpickler().load)
+ def test_bad_input(self):
+ # Test issue4298
+ s = bytes([0x58, 0, 0, 0, 0x54])
+ self.assertRaises(EOFError, pickle.loads, s)
+
class AbstractPersistentPicklerTests(unittest.TestCase):
diff --git a/Misc/NEWS b/Misc/NEWS
index 36095e0..3a8f467 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,7 +16,9 @@
Library
-------
-- Issue #4283: fix a left-over "iteritems" call in distutils.
+- Issue #4298: Fix a segfault when pickle.loads is passed a ill-formed input.
+
+- Issue #4283: Fix a left-over "iteritems" call in distutils.
Build
-----
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index a689c33..c1facd8 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -489,6 +489,11 @@
return -1;
}
+ if (PyBytes_GET_SIZE(data) != n) {
+ PyErr_SetNone(PyExc_EOFError);
+ return -1;
+ }
+
Py_XDECREF(self->last_string);
self->last_string = data;