Bug report
Bug description:
Description
Location: Python/marshal.c, function r_object(), TYPE_SLICE case
Issue: The code didn't validate the return value of r_ref_reserve() before passing it to r_ref_insert(). If r_ref_reserve() fails and returns -1, this would cause an out-of-bounds memory access when r_ref_insert() tries to access p->refs[-1].
Root Cause: Inconsistent error handling compared to other similar cases in the same file (e.g., TYPE_CODE and TYPE_FROZENSET properly check for r_ref_reserve() failure).
Impact
- Security: Potential memory corruption vulnerability exploitable via crafted marshal data
- Stability: Could cause crashes when deserializing slice objects in error conditions
- Scope: Affects applications using the marshal module to deserialize untrusted data
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs
Bug report
Bug description:
Description
Location:
Python/marshal.c, functionr_object(),TYPE_SLICEcaseIssue: The code didn't validate the return value of
r_ref_reserve()before passing it tor_ref_insert(). Ifr_ref_reserve()fails and returns -1, this would cause an out-of-bounds memory access whenr_ref_insert()tries to accessp->refs[-1].Root Cause: Inconsistent error handling compared to other similar cases in the same file (e.g.,
TYPE_CODEandTYPE_FROZENSETproperly check forr_ref_reserve()failure).Impact
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Linked PRs