Added checks for integer overflows, contributed by Google. Some are only available if asserts are left in the code, in cases where they can't be triggered from Python code.

commit: 73c01d410117a573731e6c2afc9694005f8d11aa [log] [tgz]
author: Martin v. Löwis <martin@v.loewis.de> Thu Feb 14 11:26:18 2008 +0000
committer: Martin v. Löwis <martin@v.loewis.de> Thu Feb 14 11:26:18 2008 +0000
tree: c0cb9e868b2cb57d9ebd5685d0054b551a33e889
parent: abcb59a1d87c6121db913ce56c9f91fd43f33916 [diff] [blame]
diff --git a/Modules/cPickle.c b/Modules/cPickle.c
index b552a40..537276c 100644
--- a/Modules/cPickle.c
+++ b/Modules/cPickle.c

@@ -3432,6 +3432,14 @@
 	if (self->read_func(self, &s, 4) < 0) return -1;
 
 	l = calc_binint(s, 4);
+	if (l < 0) {
+		/* Corrupt or hostile pickle -- we never write one like
+		 * this.
+		 */
+		PyErr_SetString(UnpicklingError,
+				"BINSTRING pickle has negative byte count");
+		return -1;
+	}
 
 	if (self->read_func(self, &s, l) < 0)
 		return -1;
@@ -3499,6 +3507,14 @@
 	if (self->read_func(self, &s, 4) < 0) return -1;
 
 	l = calc_binint(s, 4);
+	if (l < 0) {
+		/* Corrupt or hostile pickle -- we never write one like
+		 * this.
+		 */
+		PyErr_SetString(UnpicklingError,
+				"BINUNICODE pickle has negative byte count");
+		return -1;
+	}
 
 	if (self->read_func(self, &s, l) < 0)
 		return -1;
commit	73c01d410117a573731e6c2afc9694005f8d11aa	[log] [tgz]
author	Martin v. Löwis <martin@v.loewis.de>	Thu Feb 14 11:26:18 2008 +0000
committer	Martin v. Löwis <martin@v.loewis.de>	Thu Feb 14 11:26:18 2008 +0000
tree	c0cb9e868b2cb57d9ebd5685d0054b551a33e889
parent	abcb59a1d87c6121db913ce56c9f91fd43f33916 [diff] [blame]