changeset: 99338:c85eca74f3a5 branch: 3.4 parent: 99335:01998efb605a user: Serhiy Storchaka date: Wed Nov 25 15:01:53 2015 +0200 files: Misc/NEWS Modules/_pickle.c description: Issue #25725: Fixed a reference leak in pickle.loads() when unpickling invalid data including tuple instructions. diff -r 01998efb605a -r c85eca74f3a5 Misc/NEWS --- a/Misc/NEWS Tue Nov 24 23:21:15 2015 +0000 +++ b/Misc/NEWS Wed Nov 25 15:01:53 2015 +0200 @@ -106,6 +106,9 @@ Library ------- +- Issue #25725: Fixed a reference leak in pickle.loads() when unpickling + invalid data including tuple instructions. + - Issue #25663: In the Readline completer, avoid listing duplicate global names, and search the global namespace before searching builtins. diff -r 01998efb605a -r c85eca74f3a5 Modules/_pickle.c --- a/Modules/_pickle.c Tue Nov 24 23:21:15 2015 +0000 +++ b/Modules/_pickle.c Wed Nov 25 15:01:53 2015 +0200 @@ -4915,15 +4915,14 @@ } static int -load_tuple(UnpicklerObject *self) +load_counted_tuple(UnpicklerObject *self, int len) { PyObject *tuple; - Py_ssize_t i; - - if ((i = marker(self)) < 0) - return -1; - - tuple = Pdata_poptuple(self->stack, i); + + if (Py_SIZE(self->stack) < len) + return stack_underflow(); + + tuple = Pdata_poptuple(self->stack, Py_SIZE(self->stack) - len); if (tuple == NULL) return -1; PDATA_PUSH(self->stack, tuple, -1); @@ -4931,24 +4930,14 @@ } static int -load_counted_tuple(UnpicklerObject *self, int len) -{ - PyObject *tuple; - - tuple = PyTuple_New(len); - if (tuple == NULL) - return -1; - - while (--len >= 0) { - PyObject *item; - - PDATA_POP(self->stack, item); - if (item == NULL) - return -1; - PyTuple_SET_ITEM(tuple, len, item); - } - PDATA_PUSH(self->stack, tuple, -1); - return 0; +load_tuple(UnpicklerObject *self) +{ + Py_ssize_t i; + + if ((i = marker(self)) < 0) + return -1; + + return load_counted_tuple(self, Py_SIZE(self->stack) - i); } static int