Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-115952: Fix a potential virtual memory allocation denial of service in pickle #119204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
serhiy-storchaka merged 30 commits into from
Dec 5, 2025
Merged

gh-115952: Fix a potential virtual memory allocation denial of service in pickle #119204

Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
822230d
gh-115952: Fix vulnerability in the pickle module
serhiy-storchaka May 20, 2024
88f1461
Try to fix tests of 32-bit platforms.
serhiy-storchaka May 20, 2024
048099b
Try to fix more tests on 32-bit platforms.
serhiy-storchaka May 20, 2024
d9d1d1d
Apply suggestions from code review
serhiy-storchaka May 22, 2024
6f6f765
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka May 22, 2024
d0e667e
Remove empty lines.
serhiy-storchaka Jun 29, 2024
3462d0e
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Jun 29, 2024
becbd25
Merge remote-tracking branch 'refs/remotes/origin/unpickle-overalloca…
serhiy-storchaka Jun 29, 2024
b257974
Change names, add more commentis and update the NEWS entry.
serhiy-storchaka Jun 30, 2024
1e487ca
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Sep 6, 2024
184984d
Support arbitrary non-continuous memo keys.
serhiy-storchaka Sep 6, 2024
f0c0728
Reworded NEWS a bit.
gpshead Sep 27, 2024
1f4e2f1
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Sep 28, 2024
c72d095
Fix C to Python integer conversion.
serhiy-storchaka Sep 28, 2024
e89bfea
Add more comments.
serhiy-storchaka Sep 28, 2024
a80106c
Fix test on 32-bit platforms.
serhiy-storchaka Sep 28, 2024
01bc6b9
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Apr 8, 2025
20aa1bf
Fix __sizeof__.
serhiy-storchaka Apr 8, 2025
ab58869
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Apr 9, 2025
2a1cff8
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Nov 18, 2025
9d4af4e
Improve security in pickle module
serhiy-storchaka Nov 18, 2025
572a2f2
reword NEWS a bit
gpshead Nov 23, 2025
d6279ae
add a couple of comments
gpshead Nov 23, 2025
022108d
expand comment in test_too_large_long_binput
gpshead Nov 23, 2025
f5f50e7
Add memory DoS impact benchmark for pickle module
gpshead Nov 24, 2025
44dbe03
fix docs build?
gpshead Nov 24, 2025
a29c90c
Merge branch 'main' into unpickle-overallocate
gpshead Nov 24, 2025
583df53
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Nov 27, 2025
54dfd58
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Dec 1, 2025
7afe4e1
Update comments.
serhiy-storchaka Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
expand comment in test_too_large_long_binput
  • Loading branch information
@gpshead
gpshead committed Nov 23, 2025
commit 022108def3aa22f0cfe817a4e1336cbfb27907b3
7 changes: 6 additions & 1 deletion Lib/test/pickletester.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1181,7 +1181,12 @@ def test_too_large_put(self):

def test_too_large_long_binput(self):
# Test that LONG_BINPUT with large id does not cause allocation of
# too large memo table.
# too large memo table. The C implementation uses a dict-based memo
# for sparse indices (when idx > memo_len * 2) instead of allocating
# a massive array. This test verifies large sparse indices work without
# causing memory exhaustion.
#
# If the threshold formula changes, ensure test indices still exceed it.
Copy link
Copy Markdown
Member Author

@serhiy-storchaka serhiy-storchaka Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this sentence because the test actually does not depend on any thresholds. It starts with 1 << 20 just to save time, but it will work for smaller or larger thresholds.

data = lambda n: (b'(]r' + struct.pack('<I', n) +
b'j' + struct.pack('<I', n) + b't.')
# 0: ( MARK
Expand Down