Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-115952: Fix a potential virtual memory allocation denial of service in pickle #119204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
serhiy-storchaka merged 30 commits into from
Dec 5, 2025
Merged

gh-115952: Fix a potential virtual memory allocation denial of service in pickle #119204

Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
822230d
gh-115952: Fix vulnerability in the pickle module
serhiy-storchaka May 20, 2024
88f1461
Try to fix tests of 32-bit platforms.
serhiy-storchaka May 20, 2024
048099b
Try to fix more tests on 32-bit platforms.
serhiy-storchaka May 20, 2024
d9d1d1d
Apply suggestions from code review
serhiy-storchaka May 22, 2024
6f6f765
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka May 22, 2024
d0e667e
Remove empty lines.
serhiy-storchaka Jun 29, 2024
3462d0e
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Jun 29, 2024
becbd25
Merge remote-tracking branch 'refs/remotes/origin/unpickle-overalloca…
serhiy-storchaka Jun 29, 2024
b257974
Change names, add more commentis and update the NEWS entry.
serhiy-storchaka Jun 30, 2024
1e487ca
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Sep 6, 2024
184984d
Support arbitrary non-continuous memo keys.
serhiy-storchaka Sep 6, 2024
f0c0728
Reworded NEWS a bit.
gpshead Sep 27, 2024
1f4e2f1
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Sep 28, 2024
c72d095
Fix C to Python integer conversion.
serhiy-storchaka Sep 28, 2024
e89bfea
Add more comments.
serhiy-storchaka Sep 28, 2024
a80106c
Fix test on 32-bit platforms.
serhiy-storchaka Sep 28, 2024
01bc6b9
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Apr 8, 2025
20aa1bf
Fix __sizeof__.
serhiy-storchaka Apr 8, 2025
ab58869
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Apr 9, 2025
2a1cff8
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Nov 18, 2025
9d4af4e
Improve security in pickle module
serhiy-storchaka Nov 18, 2025
572a2f2
reword NEWS a bit
gpshead Nov 23, 2025
d6279ae
add a couple of comments
gpshead Nov 23, 2025
022108d
expand comment in test_too_large_long_binput
gpshead Nov 23, 2025
f5f50e7
Add memory DoS impact benchmark for pickle module
gpshead Nov 24, 2025
44dbe03
fix docs build?
gpshead Nov 24, 2025
a29c90c
Merge branch 'main' into unpickle-overallocate
gpshead Nov 24, 2025
583df53
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Nov 27, 2025
54dfd58
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Dec 1, 2025
7afe4e1
Update comments.
serhiy-storchaka Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Update comments.
  • Loading branch information
@serhiy-storchaka
serhiy-storchaka committed Dec 1, 2025
commit 7afe4e1caa56f6e7ee7644c60e2a0bf64f01b9ef
13 changes: 11 additions & 2 deletions Lib/test/pickletester.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1164,7 +1164,14 @@ def test_negative_32b_binput(self):

def test_too_large_put(self):
Copy link
Copy Markdown
Member

@gpshead gpshead Sep 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment explaining why this and the next test method result in ([], []) being returned no matter what rather than an error when the values are too large? (I suspect readers with a knowledge of the specific pickle protocol may understand, but it isn't obvious otherwise)

# Test that PUT with large id does not cause allocation of
# too large memo table.
# too large memo table. The C implementation uses a dict-based memo
# for sparse indices (when idx > memo_len * 2) instead of allocating
# a massive array. This test verifies large sparse indices work without
# causing memory exhaustion.
#
# The following simple pickle creates an empty list, memoizes it
# using a large index, then loads it back on the stack, builds
# a tuple containing 2 identical empty lists and returns it.
data = lambda n: (b'((lp' + str(n).encode() + b'\n' +
b'g' + str(n).encode() + b'\nt.')
# 0: ( MARK
Expand All @@ -1186,7 +1193,9 @@ def test_too_large_long_binput(self):
# a massive array. This test verifies large sparse indices work without
# causing memory exhaustion.
#
# If the threshold formula changes, ensure test indices still exceed it.
# The following simple pickle creates an empty list, memoizes it
# using a large index, then loads it back on the stack, builds
# a tuple containing 2 identical empty lists and returns it.
data = lambda n: (b'(]r' + struct.pack('<I', n) +
b'j' + struct.pack('<I', n) + b't.')
# 0: ( MARK
Expand Down
Loading