[2.7] bpo-36149 Fix potential use of uninitialized memory in cPickle (#12105)

Fix off-by-one bug in cPickle that caused it to use uninitialised memory on truncated pickles read from FILE*s.

[2.7] bpo-36149 Fix potential use of uninitialized memory in cPickle (#12105)
Fix off-by-one bug in cPickle that caused it to use uninitialised memory on truncated pickles read from FILE*s.
d9bf7f41 · T. Wouters · GitHub · 84b5ac9b · d9bf7f41 · d9bf7f41
Commit d9bf7f41 authored Mar 04, 2019 by T. Wouters Committed by GitHub Mar 04, 2019
Showing with 10 additions and 5 deletions

Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst ...ore and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst +2 -0

Modules/cPickle.c Modules/cPickle.c +8 -5

No files found.
--- a/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst
+++ b/Misc/NEWS.d/next/Core and Builtins/2019-02-28-13-52-18.bpo-36149.GJdnh4.rst
+Fix use of uninitialized memory in cPickle when reading a truncated pickle
+from a file object.
--- a/Modules/cPickle.c
+++ b/Modules/cPickle.c
@@ -586,12 +586,15 @@ readline_file(Unpicklerobject *self, char **s)
    while (1) {
        Py_ssize_t bigger;
        char *newbuf;
-        for (; i < (self->buf_size - 1); i++) {
-            if (feof(self->fp) ||
-                (self->buf[i] = getc(self->fp)) == '\n') {
-                self->buf[i + 1] = '\0';
+        while (i < (self->buf_size - 1)) {
+            int newchar = getc(self->fp);
+            if (newchar != EOF) {
+                self->buf[i++] = newchar;
+            }
+            if (newchar == EOF || newchar == '\n') {
+                self->buf[i] = '\0';
                *s = self->buf;
-                return i + 1;
+                return i;
            }
        }
        if (self->buf_size > (PY_SSIZE_T_MAX >> 1)) {