From 90555eca44a19c743d39b7fd2e05f7bc37fb5cb8 Mon Sep 17 00:00:00 2001 From: Sergey Fedoseev Date: Sat, 25 Aug 2018 15:41:58 +0500 Subject: [PATCH] bpo-34395: Don't free allocated memory on realloc fail in load_mark() in _pickle.c. (GH-8788) --- Modules/_pickle.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/Modules/_pickle.c b/Modules/_pickle.c index 39628fcef5d..2de70f5d940 100644 --- a/Modules/_pickle.c +++ b/Modules/_pickle.c @@ -6289,24 +6289,14 @@ load_mark(UnpicklerObject *self) */ if (self->num_marks >= self->marks_size) { - size_t alloc; - - /* Use the size_t type to check for overflow. */ - alloc = ((size_t)self->num_marks << 1) + 20; - if (alloc > (PY_SSIZE_T_MAX / sizeof(Py_ssize_t)) || - alloc <= ((size_t)self->num_marks + 1)) { - PyErr_NoMemory(); - return -1; - } - - Py_ssize_t *marks_old = self->marks; - PyMem_RESIZE(self->marks, Py_ssize_t, alloc); - if (self->marks == NULL) { - PyMem_FREE(marks_old); - self->marks_size = 0; + size_t alloc = ((size_t)self->num_marks << 1) + 20; + Py_ssize_t *marks_new = self->marks; + PyMem_RESIZE(marks_new, Py_ssize_t, alloc); + if (marks_new == NULL) { PyErr_NoMemory(); return -1; } + self->marks = marks_new; self->marks_size = (Py_ssize_t)alloc; }