From fd3d21c672b1f8beaefab7eb6581f139aef0ad37 Mon Sep 17 00:00:00 2001 From: Sergey Fedoseev Date: Thu, 16 Aug 2018 21:10:57 +0500 Subject: [PATCH 1/2] bpo-34395: Don't free allocated memory on realloc fail in load_mark() in _pickle.c. --- Modules/_pickle.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Modules/_pickle.c b/Modules/_pickle.c index ea778c763520fc..4379a88c5b63da 100644 --- a/Modules/_pickle.c +++ b/Modules/_pickle.c @@ -6297,14 +6297,13 @@ load_mark(UnpicklerObject *self) return -1; } - Py_ssize_t *marks_old = self->marks; - PyMem_RESIZE(self->marks, Py_ssize_t, alloc); - if (self->marks == NULL) { - PyMem_FREE(marks_old); - self->marks_size = 0; + Py_ssize_t *marks_new = self->marks; + PyMem_RESIZE(marks_new, Py_ssize_t, alloc); + if (marks_new == NULL) { PyErr_NoMemory(); return -1; } + self->marks = marks_new; self->marks_size = (Py_ssize_t)alloc; } From 4f52c1e05d97e32f46648279620bddbfba7c2d82 Mon Sep 17 00:00:00 2001 From: Sergey Fedoseev Date: Sat, 25 Aug 2018 14:30:27 +0500 Subject: [PATCH 2/2] Remove unneeded overflow checks. --- Modules/_pickle.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/Modules/_pickle.c b/Modules/_pickle.c index 4379a88c5b63da..bd25fd15f063be 100644 --- a/Modules/_pickle.c +++ b/Modules/_pickle.c @@ -6287,16 +6287,7 @@ load_mark(UnpicklerObject *self) */ if ((self->num_marks + 1) >= self->marks_size) { - size_t alloc; - - /* Use the size_t type to check for overflow. */ - alloc = ((size_t)self->num_marks << 1) + 20; - if (alloc > (PY_SSIZE_T_MAX / sizeof(Py_ssize_t)) || - alloc <= ((size_t)self->num_marks + 1)) { - PyErr_NoMemory(); - return -1; - } - + size_t alloc = ((size_t)self->num_marks << 1) + 20; Py_ssize_t *marks_new = self->marks; PyMem_RESIZE(marks_new, Py_ssize_t, alloc); if (marks_new == NULL) {