python · serhiy-storchaka · Jun 29, 2025 · Jun 27, 2025 · Jun 27, 2025 · Jun 27, 2025
diff --git a/Misc/NEWS.d/next/Security/2025-06-27-20-14-11.gh-issue-136053._pnEv0.rst b/Misc/NEWS.d/next/Security/2025-06-27-20-14-11.gh-issue-136053._pnEv0.rst
@@ -0,0 +1 @@
+Fix a potential out-of-bounds memory access vulnerability in the ``TYPE_SLICE`` case of the ``r_object`` function in ``marshal.c``. The code now properly checks if ``r_ref_reserve()`` fails before using its return value, preventing crashes or security issues when deserializing malicious marshal data.
diff --git a/Python/marshal.c b/Python/marshal.c
@@ -1658,7 +1658,14 @@ r_object(RFILE *p)
         Py_ssize_t idx = r_ref_reserve(flag, p);
         PyObject *stop = NULL;
         PyObject *step = NULL;
-        PyObject *start = r_object(p);
+        PyObject *start = NULL;
+
+        if (idx < 0 && flag) {
+            // r_ref_reserve failed
+            break;
+        }
+
+        start = r_object(p);
         if (start == NULL) {
             goto cleanup;
         }
@@ -1671,7 +1678,9 @@ r_object(RFILE *p)
             goto cleanup;
         }
         retval = PySlice_New(start, stop, step);
-        r_ref_insert(retval, idx, flag, p);
+        if (retval != NULL) {
+            r_ref_insert(retval, idx, flag, p);
+        }
     cleanup:
         Py_XDECREF(start);
         Py_XDECREF(stop);
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Fix a potential out-of-bounds memory access vulnerability in the ``TYPE_SLICE`` case of the ``r_object`` function in ``marshal.c``. The code now properly checks if ``r_ref_reserve()`` fails before using its return value, preventing crashes or security issues when deserializing malicious marshal data.
akshat62 marked this conversation as resolved. Outdated Show resolved Hide resolved