Issue #27056: Fix _Unpickler_Read() to avoid integer overflow

author: Victor Stinner <victor.stinner@gmail.com> 2016-05-20 21:16:59 +0200
committer: Victor Stinner <victor.stinner@gmail.com> 2016-05-20 21:16:59 +0200
commit: da23056a3ed33d2ae69752f7d113059333176297 (patch)
tree: 33f88aab0e971f9c053cb6a6bf0f7444412542c6 /Modules
parent: f4049ee1700936a28494e0da607131bde62a8fe5 (diff)
download: cpython-git-da23056a3ed33d2ae69752f7d113059333176297.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/Modules/_pickle.c b/Modules/_pickle.c
index e3aa7c50ef..1c9b9eb112 100644
--- a/Modules/_pickle.c
+++ b/Modules/_pickle.c
@@ -1244,7 +1244,7 @@ _Unpickler_ReadImpl(UnpicklerObject *self, char **s, Py_ssize_t n)
    Returns -1 (with an exception set) on failure. On success, return the
    number of chars read. */
 #define _Unpickler_Read(self, s, n) \
-    (((self)->next_read_idx + (n) <= (self)->input_len)      \
+    (((n) <= (self)->input_len - (self)->next_read_idx)      \
      ? (*(s) = (self)->input_buffer + (self)->next_read_idx, \
         (self)->next_read_idx += (n),                        \
         (n))                                                 \
author	Victor Stinner <victor.stinner@gmail.com>	2016-05-20 21:16:59 +0200
committer	Victor Stinner <victor.stinner@gmail.com>	2016-05-20 21:16:59 +0200
commit	da23056a3ed33d2ae69752f7d113059333176297 (patch)
tree	33f88aab0e971f9c053cb6a6bf0f7444412542c6 /Modules
parent	f4049ee1700936a28494e0da607131bde62a8fe5 (diff)
download	cpython-git-da23056a3ed33d2ae69752f7d113059333176297.tar.gz