fix use after free (closes #24552)

80f78a3e · Benjamin Peterson · b7a688b3 · 80f78a3e · 80f78a3e · 80f78a3e
Kaydet (Commit) 80f78a3e authored Tem 02, 2015 tarafından Benjamin Peterson
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

pickletester.py Lib/test/pickletester.py +12 -0

NEWS Misc/NEWS +2 -0

_pickle.c Modules/_pickle.c +1 -1

No files found.
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@@ -1039,6 +1039,18 @@ class AbstractPickleTests(unittest.TestCase):
                self.assertEqual(B(x), B(y), detail)
                self.assertEqual(x.__dict__, y.__dict__, detail)
+    def test_newobj_not_class(self):
+        # Issue 24552
+        global SimpleNewObj
+        save = SimpleNewObj
+        o = object.__new__(SimpleNewObj)
+        b = self.dumps(o, 4)
+        try:
+            SimpleNewObj = 42
+            self.assertRaises((TypeError, pickle.UnpicklingError), self.loads, b)
+        finally:
+            SimpleNewObj = save
    # Register a type with copyreg, with extension code extcode.  Pickle
    # an object of that type.  Check that the resulting pickle uses opcode
    # (EXT[124]) under proto 2, and not in proto 1.

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -64,6 +64,8 @@ Core and Builtins
 Library
 -------
+- Issue #24552: Fix use after free in an error case of the _pickle module.
 - Issue #24514: tarfile now tolerates number fields consisting of only
  whitespace.

--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -5210,10 +5210,10 @@ load_newobj_ex(UnpicklerObject *self)
    if (!PyType_Check(cls)) {
        Py_DECREF(kwargs);
        Py_DECREF(args);
-        Py_DECREF(cls);
        PyErr_Format(st->UnpicklingError,
                     "NEWOBJ_EX class argument must be a type, not %.200s",
                     Py_TYPE(cls)->tp_name);
+        Py_DECREF(cls);
        return -1;
    }