#4298: pickle.load() can segfault on invalid or truncated input.

Patch and test by Hirokazu Yamamoto.
2026-01-03 22:12:27 +00:00 · 2008-11-11 20:05:06 +00:00 · 2008-11-11 20:05:06 +00:00 · 3e4e72f66f
commit 3e4e72f66f
parent 3bae65bacd
3 changed files with 13 additions and 1 deletions
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@ -1032,6 +1032,11 @@ def __init__(self): pass
        self.assertRaises(pickle.PicklingError, BadPickler().dump, 0)
        self.assertRaises(pickle.UnpicklingError, BadUnpickler().load)

+    def test_bad_input(self):
+        # Test issue4298
+        s = bytes([0x58, 0, 0, 0, 0x54])
+        self.assertRaises(EOFError, pickle.loads, s)
+

 class AbstractPersistentPicklerTests(unittest.TestCase):

--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -16,7 +16,9 @@ Core and Builtins
 Library
 -------

- Issue #4283: fix a left-over "iteritems" call in distutils.
+- Issue #4298: Fix a segfault when pickle.loads is passed a ill-formed input.
+
+- Issue #4283: Fix a left-over "iteritems" call in distutils.

 Build
 -----
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@ -489,6 +489,11 @@ unpickler_read(UnpicklerObject *self, char **s, Py_ssize_t n)
        return -1;
    }

+    if (PyBytes_GET_SIZE(data) != n) {
+        PyErr_SetNone(PyExc_EOFError);
+        return -1;
+    }
+
    Py_XDECREF(self->last_string);
    self->last_string = data;