fix use after free (closes #24552)

11 years ago · 80f78a3efc
3 changed files with 15 additions and 1 deletions
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@ -1039,6 +1039,18 @@ class AbstractPickleTests(unittest.TestCase):
                self.assertEqual(B(x), B(y), detail)
                self.assertEqual(x.__dict__, y.__dict__, detail)

+    def test_newobj_not_class(self):
+        # Issue 24552
+        global SimpleNewObj
+        save = SimpleNewObj
+        o = object.__new__(SimpleNewObj)
+        b = self.dumps(o, 4)
+        try:
+            SimpleNewObj = 42
+            self.assertRaises((TypeError, pickle.UnpicklingError), self.loads, b)
+        finally:
+            SimpleNewObj = save
+
    # Register a type with copyreg, with extension code extcode.  Pickle
    # an object of that type.  Check that the resulting pickle uses opcode
    # (EXT[124]) under proto 2, and not in proto 1.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@ -64,6 +64,8 @@ Core and Builtins
 Library
 -------

+- Issue #24552: Fix use after free in an error case of the _pickle module.
+
 - Issue #24514: tarfile now tolerates number fields consisting of only
  whitespace.

--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@ -5210,10 +5210,10 @@ load_newobj_ex(UnpicklerObject *self)
    if (!PyType_Check(cls)) {
        Py_DECREF(kwargs);
        Py_DECREF(args);
-        Py_DECREF(cls);
        PyErr_Format(st->UnpicklingError,
                     "NEWOBJ_EX class argument must be a type, not %.200s",
                     Py_TYPE(cls)->tp_name);
+        Py_DECREF(cls);
        return -1;
    }