https://github.com/python/cpython/commit/30ba03ea8ed98522b0500d6856b22727c88e818f
commit: 30ba03ea8ed98522b0500d6856b22727c88e818f
branch: main
author: Akshat Gupta <[email protected]>
committer: serhiy-storchaka <[email protected]>
date: 2025-06-29T10:07:24+03:00
summary:
gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054)
Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
files:
A Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
M Python/marshal.c
diff --git
a/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
new file mode 100644
index 00000000000000..93caed3aa3b9dd
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
@@ -0,0 +1 @@
+:mod:`marshal`: fix a possible crash when deserializing :class:`slice` objects.
diff --git a/Python/marshal.c b/Python/marshal.c
index afbef6ee6796d9..15dd25d6268df4 100644
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -1656,6 +1656,9 @@ r_object(RFILE *p)
case TYPE_SLICE:
{
Py_ssize_t idx = r_ref_reserve(flag, p);
+ if (idx < 0) {
+ break;
+ }
PyObject *stop = NULL;
PyObject *step = NULL;
PyObject *start = r_object(p);
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
