Thanks to visit codestin.com
Credit goes to github.com

Skip to content

gh-115952: Fix a potential virtual memory allocation denial of service in pickle #119204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
serhiy-storchaka merged 30 commits into from
Dec 5, 2025
Merged

gh-115952: Fix a potential virtual memory allocation denial of service in pickle #119204

Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
822230d
gh-115952: Fix vulnerability in the pickle module
serhiy-storchaka May 20, 2024
88f1461
Try to fix tests of 32-bit platforms.
serhiy-storchaka May 20, 2024
048099b
Try to fix more tests on 32-bit platforms.
serhiy-storchaka May 20, 2024
d9d1d1d
Apply suggestions from code review
serhiy-storchaka May 22, 2024
6f6f765
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka May 22, 2024
d0e667e
Remove empty lines.
serhiy-storchaka Jun 29, 2024
3462d0e
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Jun 29, 2024
becbd25
Merge remote-tracking branch 'refs/remotes/origin/unpickle-overalloca…
serhiy-storchaka Jun 29, 2024
b257974
Change names, add more commentis and update the NEWS entry.
serhiy-storchaka Jun 30, 2024
1e487ca
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Sep 6, 2024
184984d
Support arbitrary non-continuous memo keys.
serhiy-storchaka Sep 6, 2024
f0c0728
Reworded NEWS a bit.
gpshead Sep 27, 2024
1f4e2f1
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Sep 28, 2024
c72d095
Fix C to Python integer conversion.
serhiy-storchaka Sep 28, 2024
e89bfea
Add more comments.
serhiy-storchaka Sep 28, 2024
a80106c
Fix test on 32-bit platforms.
serhiy-storchaka Sep 28, 2024
01bc6b9
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Apr 8, 2025
20aa1bf
Fix __sizeof__.
serhiy-storchaka Apr 8, 2025
ab58869
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Apr 9, 2025
2a1cff8
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Nov 18, 2025
9d4af4e
Improve security in pickle module
serhiy-storchaka Nov 18, 2025
572a2f2
reword NEWS a bit
gpshead Nov 23, 2025
d6279ae
add a couple of comments
gpshead Nov 23, 2025
022108d
expand comment in test_too_large_long_binput
gpshead Nov 23, 2025
f5f50e7
Add memory DoS impact benchmark for pickle module
gpshead Nov 24, 2025
44dbe03
fix docs build?
gpshead Nov 24, 2025
a29c90c
Merge branch 'main' into unpickle-overallocate
gpshead Nov 24, 2025
583df53
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Nov 27, 2025
54dfd58
Merge branch 'main' into unpickle-overallocate
serhiy-storchaka Dec 1, 2025
7afe4e1
Update comments.
serhiy-storchaka Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add more comments.
  • Loading branch information
@serhiy-storchaka
serhiy-storchaka committed Sep 28, 2024
commit e89bfeabd717e91c3e5c159cabc8f865d291fc19
72 changes: 54 additions & 18 deletions Lib/test/pickletester.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,15 @@ def count_opcode(code, pickle):
def identity(x):
return x

def itersize(start, stop):
# Produce geometrical increasing sequence from start to stop
# (inclusively) for tests.
size = start
while size < stop:
yield size
size <<= 1
yield stop


class UnseekableIO(io.BytesIO):
def peek(self, *args):
Expand Down Expand Up @@ -1118,28 +1127,38 @@ def test_negative_32b_binput(self):
dumped = b'\x80\x03X\x01\x00\x00\x00ar\xff\xff\xff\xff.'
self.check_unpickling_error(ValueError, dumped)

def itersize(self, start, stop):
# Produce geometrical increasing sequence from start to stop
# (inclusively) for tests.
size = start
while size < stop:
yield size
size <<= 1
yield stop

def test_too_large_put(self):
Copy link
Copy Markdown
Member

@gpshead gpshead Sep 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment explaining why this and the next test method result in ([], []) being returned no matter what rather than an error when the values are too large? (I suspect readers with a knowledge of the specific pickle protocol may understand, but it isn't obvious otherwise)

# Test that PUT with large id does not cause allocation of
# too large memo table.
data = lambda n: (b'((lp' + str(n).encode() + b'\n' +
b'g' + str(n).encode() + b'\nt.')
# 0: ( MARK
# 1: ( MARK
# 2: l LIST (MARK at 1)
# 3: p PUT 1000000000000
# 18: g GET 1000000000000
# 33: t TUPLE (MARK at 0)
# 34: . STOP
for idx in [10**6, 10**9, 10**12]:
self.assertEqual(self.loads(data(idx)), ([],)*2)

def test_too_large_long_binput(self):
# Test that LONG_BINPUT with large id does not cause allocation of
# too large memo table.
data = lambda n: (b'(]r' + struct.pack('<I', n) +
b'j' + struct.pack('<I', n) + b't.')
for idx in self.itersize(1 << 20, min(sys.maxsize, (1 << 32) - 1)):
# 0: ( MARK
# 1: ] EMPTY_LIST
# 2: r LONG_BINPUT 4294967295
# 7: j LONG_BINGET 4294967295
# 12: t TUPLE (MARK at 0)
# 13: . STOP
for idx in itersize(1 << 20, min(sys.maxsize, (1 << 32) - 1)):
self.assertEqual(self.loads(data(idx)), ([],)*2)

def _test_truncated_data(self, dumped, expected_error=None):
# Test that instructions to read large data without providing
# such amount of data do not cause large memory usage.
if expected_error is None:
expected_error = self.truncated_data_error
# BytesIO
Expand All @@ -1164,36 +1183,47 @@ def _test_truncated_data(self, dumped, expected_error=None):

def test_truncated_large_binstring(self):
data = lambda size: b'T' + struct.pack('<I', size) + b'.' * 5
# 0: T BINSTRING '....'
# 9: . STOP
self.assertEqual(self.loads(data(4)), '....') # self-testing
for size in self.itersize(1 << 10, min(sys.maxsize - 5, (1 << 31) - 1)):
for size in itersize(1 << 10, min(sys.maxsize - 5, (1 << 31) - 1)):
self._test_truncated_data(data(size))
self._test_truncated_data(data(1 << 31),
(pickle.UnpicklingError, 'truncated|exceeds|negative byte count'))

def test_truncated_large_binunicode(self):
data = lambda size: b'X' + struct.pack('<I', size) + b'.' * 5
# 0: X BINUNICODE '....'
# 9: . STOP
self.assertEqual(self.loads(data(4)), '....') # self-testing
for size in self.itersize(1 << 10, min(sys.maxsize - 5, (1 << 32) - 1)):
for size in itersize(1 << 10, min(sys.maxsize - 5, (1 << 32) - 1)):
self._test_truncated_data(data(size))

def test_truncated_large_binbytes(self):
data = lambda size: b'B' + struct.pack('<I', size) + b'.' * 5
# 0: B BINBYTES b'....'
# 9: . STOP
self.assertEqual(self.loads(data(4)), b'....') # self-testing
for size in self.itersize(1 << 10, min(sys.maxsize, 1 << 31)):
for size in itersize(1 << 10, min(sys.maxsize, 1 << 31)):
self._test_truncated_data(data(size))

def test_truncated_large_long4(self):
data = lambda size: b'\x8b' + struct.pack('<I', size) + b'.' * 5
# 0: \x8b LONG4 0x2e2e2e2e
# 9: . STOP
self.assertEqual(self.loads(data(4)), 0x2e2e2e2e) # self-testing
for size in self.itersize(1 << 10, min(sys.maxsize - 5, (1 << 31) - 1)):
for size in itersize(1 << 10, min(sys.maxsize - 5, (1 << 31) - 1)):
self._test_truncated_data(data(size))
self._test_truncated_data(data(1 << 31),
(pickle.UnpicklingError, 'LONG pickle has negative byte count'))

def test_truncated_large_frame(self):
data = lambda size: b'\x95' + struct.pack('<Q', size) + b'N.'
# 0: \x95 FRAME 2
# 9: N NONE
# 10: . STOP
self.assertIsNone(self.loads(data(2))) # self-testing
for size in self.itersize(1 << 10, sys.maxsize - 9):
for size in itersize(1 << 10, sys.maxsize - 9):
self._test_truncated_data(data(size))
if sys.maxsize + 1 < 1 << 64:
self._test_truncated_data(data(sys.maxsize + 1),
Expand All @@ -1202,24 +1232,30 @@ def test_truncated_large_frame(self):

def test_truncated_large_binunicode8(self):
data = lambda size: b'\x8d' + struct.pack('<Q', size) + b'.' * 5
# 0: \x8d BINUNICODE8 '....'
# 13: . STOP
self.assertEqual(self.loads(data(4)), '....') # self-testing
for size in self.itersize(1 << 10, sys.maxsize - 9):
for size in itersize(1 << 10, sys.maxsize - 9):
self._test_truncated_data(data(size))
if sys.maxsize + 1 < 1 << 64:
self._test_truncated_data(data(sys.maxsize + 1), self.size_overflow_error)

def test_truncated_large_binbytes8(self):
data = lambda size: b'\x8e' + struct.pack('<Q', size) + b'.' * 5
# 0: \x8e BINBYTES8 b'....'
# 13: . STOP
self.assertEqual(self.loads(data(4)), b'....') # self-testing
for size in self.itersize(1 << 10, sys.maxsize):
for size in itersize(1 << 10, sys.maxsize):
self._test_truncated_data(data(size))
if sys.maxsize + 1 < 1 << 64:
self._test_truncated_data(data(sys.maxsize + 1), self.size_overflow_error)

def test_truncated_large_bytearray8(self):
data = lambda size: b'\x96' + struct.pack('<Q', size) + b'.' * 5
# 0: \x96 BYTEARRAY8 bytearray(b'....')
# 13: . STOP
self.assertEqual(self.loads(data(4)), bytearray(b'....')) # self-testing
for size in self.itersize(1 << 10, sys.maxsize):
for size in itersize(1 << 10, sys.maxsize):
self._test_truncated_data(data(size))
if sys.maxsize + 1 < 1 << 64:
self._test_truncated_data(data(sys.maxsize + 1), self.size_overflow_error)
Expand Down