From e48cf7e729923cf8bfb04cf559b4177503e85c39 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Sat, 26 Sep 2015 00:08:34 -0700
Subject: [PATCH] prevent overflow in _Unpickler_Read

---
 Misc/NEWS         | 2 ++
 Modules/_pickle.c | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/Misc/NEWS b/Misc/NEWS
index fcf3d887fd2..a4e5c47ab6f 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -81,6 +81,8 @@ Core and Builtins
 Library
 -------
 
+- Prevent overflow in _Unpickler_Read.
+
 - Issue #25047: The XML encoding declaration written by Element Tree now
   respects the letter case given by the user. This restores the ability to
   write encoding names in uppercase like "UTF-8", which worked in Python 2.
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index 9f16b4d0810..68d2a60774b 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -1182,6 +1182,12 @@ _Unpickler_Read(UnpicklerObject *self, char **s, Py_ssize_t n)
 {
     Py_ssize_t num_read;
 
+    if (self->next_read_idx > PY_SSIZE_T_MAX - n) {
+        PickleState *st = _Pickle_GetGlobalState();
+        PyErr_SetString(st->UnpicklingError,
+                        "read would overflow (invalid bytecode)");
+        return -1;
+    }
     if (self->next_read_idx + n <= self->input_len) {
         *s = self->input_buffer + self->next_read_idx;
         self->next_read_idx += n;