[issue6553] cPickle "binunicode" segmentation fault
Patrick Strawderman
report at bugs.python.org
Thu Jul 23 17:15:19 CEST 2009
New submission from Patrick Strawderman <patrick at zope.com>:
When reading from a file-like object (like StringIO), cPickle uses the
read_other function, which doesn't check that the number of bytes
requested is the actual number of bytes read (like the read_cStringIO
function does).
Functions like load_binunicode falsely assume that the number of bytes
specified after the BINUNICODE instruction are the actual number of
bytes read. This can eventually lead to a segmentation fault, as
demonstrated in the following example:
import cPickle, StringIO
cPickle.Unpickler(StringIO.StringIO("X''.")).load()
I have tested and reproduced this on Python 2.4.6 (OS X 32-bit), 2.5.1
(OS X 32-bit), and 2.6.2 (Linux 64-bit).
I have not tested Python 3.x, but I believe this problem may be akin to
the one in issue4298.
----------
messages: 90847
nosy: boogenhagn
severity: normal
status: open
title: cPickle "binunicode" segmentation fault
versions: Python 2.4, Python 2.5, Python 2.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue6553>
_______________________________________
More information about the Python-bugs-list
mailing list