prevent overflow in _Unpickler_Read

benjaminp · benjaminp · commit e48cf7e72992 · 2015-09-26T00:08:34.000-07:00
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -81,6 +81,8 @@ Core and Builtins
 Library
 -------
 
+- Prevent overflow in _Unpickler_Read.
+
 - Issue #25047: The XML encoding declaration written by Element Tree now
   respects the letter case given by the user. This restores the ability to
   write encoding names in uppercase like "UTF-8", which worked in Python 2.
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
@@ -1182,6 +1182,12 @@ _Unpickler_Read(UnpicklerObject *self, char **s, Py_ssize_t n)
 {
     Py_ssize_t num_read;
 
+    if (self->next_read_idx > PY_SSIZE_T_MAX - n) {
+        PickleState *st = _Pickle_GetGlobalState();
+        PyErr_SetString(st->UnpicklingError,
+                        "read would overflow (invalid bytecode)");
+        return -1;
+    }
     if (self->next_read_idx + n <= self->input_len) {
         *s = self->input_buffer + self->next_read_idx;
         self->next_read_idx += n;
