[New-bugs-announce] [issue18339] Segfault in Unpickler_set_memo()
Christian Heimes
report at bugs.python.org
Mon Jul 1 14:12:33 CEST 2013
New submission from Christian Heimes:
Unpickler_set_memo() crashes when the unpickler's memo attribute is set to a dict with negative numbers. The descriptor uses _Unpickler_MemoPut() which uses the dict key as index to a C array.
Python 3.3.0 (v3.3.0:bd8afb90ebf2, Feb 8 2013, 00:38:29)
[GCC 4.7.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys, pickle
>>> p = pickle.Unpickler(sys.stdin)
>>> p.memo = {-1: None}
segfault
The issue was found be Coverity Scan:
CID 486776 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
negative_returns: Passing variable "idx" to a parameter that cannot be negative.
5955 if (_Unpickler_MemoPut(self, idx, value) < 0)
----------
files: memo.patch
keywords: patch
messages: 192124
nosy: christian.heimes
priority: normal
severity: normal
stage: needs patch
status: open
title: Segfault in Unpickler_set_memo()
type: crash
versions: Python 3.3, Python 3.4
Added file: http://bugs.python.org/file30739/memo.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18339>
_______________________________________
More information about the New-bugs-announce
mailing list