Fix bug

Michael W. Hudson · Michael W. Hudson · commit f2ca5af43919 · 2005-06-13T18:28:46.000Z
[ 1180997 ] lax error-checking in new-in-2.4 marshal stuff

which I'd assigned to Martin, but actually turned out to be easy to fix.

Also, a test.
diff --git a/Lib/test/test_marshal.py b/Lib/test/test_marshal.py
@@ -211,6 +211,15 @@ def test_version_argument(self):
         self.assertEquals(marshal.loads(marshal.dumps(5, 0)), 5)
         self.assertEquals(marshal.loads(marshal.dumps(5, 1)), 5)
 
+    def test_fuzz(self):
+        # simple test that it's at least not *totally* trivial to
+        # crash from bad marshal data
+        for c in [chr(i) for i in range(256)]:
+            try:
+                marshal.loads(c)
+            except Exception:
+                pass
+
 def test_main():
     test_support.run_unittest(IntTestCase,
                               FloatTestCase,
diff --git a/Python/marshal.c b/Python/marshal.c
@@ -648,6 +648,10 @@ r_object(RFILE *p)
 
 	case TYPE_STRINGREF:
 		n = r_long(p);
+		if (n < 0 || n >= PyList_GET_SIZE(p->strings)) {
+			PyErr_SetString(PyExc_ValueError, "bad marshal data");
+			return NULL;
+		}
 		v = PyList_GET_ITEM(p->strings, n);
 		Py_INCREF(v);
 		return v;
