Memory Safety Issue in marshal.c TYPE_SLICE Case

[akshat62]

Bug report

Bug description:

Description

Location: Python/marshal.c, function r_object(), TYPE_SLICE case

Issue: The code didn't validate the return value of r_ref_reserve() before passing it to r_ref_insert(). If r_ref_reserve() fails and returns -1, this would cause an out-of-bounds memory access when r_ref_insert() tries to access p->refs[-1].

Root Cause: Inconsistent error handling compared to other similar cases in the same file (e.g., TYPE_CODE and TYPE_FROZENSET properly check for r_ref_reserve() failure).

Impact

• Security: Potential memory corruption vulnerability exploitable via crafted marshal data
• Stability: Could cause crashes when deserializing slice objects in error conditions
• Scope: Affects applications using the marshal module to deserialize untrusted data

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case #136054

[picnixz]

Note: it's not a pickle issue but we don't have a marshal project.

[LamentXU123]

could you provide a POC to reproduce this crash/bug?