From 3e4e72f66f4e9d379d7734b5d0de92fc0b4d9596 Mon Sep 17 00:00:00 2001
From: Amaury Forgeot d'Arc <amauryfa@gmail.com>
Date: Tue, 11 Nov 2008 20:05:06 +0000
Subject: [PATCH] #4298: pickle.load() can segfault on invalid or truncated
 input.

Patch and test by Hirokazu Yamamoto.
---
 Lib/test/pickletester.py | 5 +++++
 Misc/NEWS                | 4 +++-
 Modules/_pickle.c        | 5 +++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/Lib/test/pickletester.py b/Lib/test/pickletester.py
index 8519fb538e9..c7c89d1509b 100644
--- a/Lib/test/pickletester.py
+++ b/Lib/test/pickletester.py
@@ -1032,6 +1032,11 @@ class AbstractPickleModuleTests(unittest.TestCase):
         self.assertRaises(pickle.PicklingError, BadPickler().dump, 0)
         self.assertRaises(pickle.UnpicklingError, BadUnpickler().load)
 
+    def test_bad_input(self):
+        # Test issue4298
+        s = bytes([0x58, 0, 0, 0, 0x54])
+        self.assertRaises(EOFError, pickle.loads, s)
+
 
 class AbstractPersistentPicklerTests(unittest.TestCase):
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 36095e09019..3a8f4678e9e 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,7 +16,9 @@ Core and Builtins
 Library
 -------
 
-- Issue #4283: fix a left-over "iteritems" call in distutils.
+- Issue #4298: Fix a segfault when pickle.loads is passed a ill-formed input.
+
+- Issue #4283: Fix a left-over "iteritems" call in distutils.
 
 Build
 -----
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index a689c3320bd..c1facd83813 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -489,6 +489,11 @@ unpickler_read(UnpicklerObject *self, char **s, Py_ssize_t n)
         return -1;
     }
 
+    if (PyBytes_GET_SIZE(data) != n) {
+        PyErr_SetNone(PyExc_EOFError);
+        return -1;
+    }
+
     Py_XDECREF(self->last_string);
     self->last_string = data;