https://github.com/python/cpython/commit/ce659561776b14f074d197078909891af9c1eeb0
commit: ce659561776b14f074d197078909891af9c1eeb0
branch: 3.14
author: Miss Islington (bot) <31488909+miss-isling...@users.noreply.github.com>
committer: serhiy-storchaka <storch...@gmail.com>
date: 2025-06-29T07:36:04Z
summary:
[3.14] gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054)
(GH-136092)
Fix a possible crash when deserializing a large marshal data
(at least several GiBs) containing a slice.
(cherry picked from commit 30ba03ea8ed98522b0500d6856b22727c88e818f)
Co-authored-by: Akshat Gupta <akshat.gupt...@gmail.com>
files:
A Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
M Python/marshal.c
diff --git
a/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
new file mode 100644
index 00000000000000..93caed3aa3b9dd
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-06-27-21-23-19.gh-issue-136053.QZxcee.rst
@@ -0,0 +1 @@
+:mod:`marshal`: fix a possible crash when deserializing :class:`slice` objects.
diff --git a/Python/marshal.c b/Python/marshal.c
index b39c1a5b1ade50..a0f3e0a9f5668c 100644
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -1656,6 +1656,9 @@ r_object(RFILE *p)
case TYPE_SLICE:
{
Py_ssize_t idx = r_ref_reserve(flag, p);
+ if (idx < 0) {
+ break;
+ }
PyObject *stop = NULL;
PyObject *step = NULL;
PyObject *start = r_object(p);
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: arch...@mail-archive.com
