Merge in release25-maint r60793: Added checks for integer overflows, contributed by Google. Some are only available if asserts are left in the code, in cases where they can't be triggered from Python code.

commit: 9d53457e599623fbad90833c3448835b42d7e7f9 [log] [tgz]
author: Gregory P. Smith <greg@mad-scientist.com> Wed Jun 11 07:41:16 2008 +0000
committer: Gregory P. Smith <greg@mad-scientist.com> Wed Jun 11 07:41:16 2008 +0000
tree: 41d37b556618eb8e831463c576d854063a33d77b
parent: 73baefd7fc86a7f8336e4142efcec74c201acf8f [diff] [blame]
diff --git a/Modules/cPickle.c b/Modules/cPickle.c
index f130087..51fc226 100644
--- a/Modules/cPickle.c
+++ b/Modules/cPickle.c

@@ -3435,6 +3435,14 @@
 	if (self->read_func(self, &s, 4) < 0) return -1;
 
 	l = calc_binint(s, 4);
+	if (l < 0) {
+		/* Corrupt or hostile pickle -- we never write one like
+		 * this.
+		 */
+		PyErr_SetString(UnpicklingError,
+				"BINSTRING pickle has negative byte count");
+		return -1;
+	}
 
 	if (self->read_func(self, &s, l) < 0)
 		return -1;
@@ -3502,6 +3510,14 @@
 	if (self->read_func(self, &s, 4) < 0) return -1;
 
 	l = calc_binint(s, 4);
+	if (l < 0) {
+		/* Corrupt or hostile pickle -- we never write one like
+		 * this.
+		 */
+		PyErr_SetString(UnpicklingError,
+				"BINUNICODE pickle has negative byte count");
+		return -1;
+	}
 
 	if (self->read_func(self, &s, l) < 0)
 		return -1;
commit	9d53457e599623fbad90833c3448835b42d7e7f9	[log] [tgz]
author	Gregory P. Smith <greg@mad-scientist.com>	Wed Jun 11 07:41:16 2008 +0000
committer	Gregory P. Smith <greg@mad-scientist.com>	Wed Jun 11 07:41:16 2008 +0000
tree	41d37b556618eb8e831463c576d854063a33d77b
parent	73baefd7fc86a7f8336e4142efcec74c201acf8f [diff] [blame]