Skip to content

Memory Safety Issue in marshal.c TYPE_SLICE Case #136053

New issue
New issue
Closed
Closed
Memory Safety Issue in marshal.c TYPE_SLICE Case#136053
Labels
3.14bugs and security fixes3.15new features, bugs and security fixesextension-modulesC modules in the Modules dirtype-bugAn unexpected behavior, bug, or error
@akshat62

Description

@akshat62
akshat62
opened on Jun 27, 2025

Bug report

Bug description:

Description

Location: Python/marshal.c, function r_object(), TYPE_SLICE case

Issue: The code didn't validate the return value of r_ref_reserve() before passing it to r_ref_insert(). If r_ref_reserve() fails and returns -1, this would cause an out-of-bounds memory access when r_ref_insert() tries to access p->refs[-1].

Root Cause: Inconsistent error handling compared to other similar cases in the same file (e.g., TYPE_CODE and TYPE_FROZENSET properly check for r_ref_reserve() failure).

Impact

  • Security: Potential memory corruption vulnerability exploitable via crafted marshal data
  • Stability: Could cause crashes when deserializing slice objects in error conditions
  • Scope: Affects applications using the marshal module to deserialize untrusted data

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.14bugs and security fixes3.15new features, bugs and security fixesextension-modulesC modules in the Modules dirtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions