Bug report

Bug description:

Description

Location:Python/marshal.c, functionr_object(),TYPE_SLICE case

Issue: The code didn't validate the return value ofr_ref_reserve() before passing it tor_ref_insert(). Ifr_ref_reserve() fails and returns -1, this would cause an out-of-bounds memory access whenr_ref_insert() tries to accessp->refs[-1].

Root Cause: Inconsistent error handling compared to other similar cases in the same file (e.g.,TYPE_CODE andTYPE_FROZENSET properly check forr_ref_reserve() failure).

Impact

• Security: Potential memory corruption vulnerability exploitable via crafted marshal data
• Stability: Could cause crashes when deserializing slice objects in error conditions
• Scope: Affects applications using the marshal module to deserialize untrusted data

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

• gh-136053: Memory Safety Issue in marshal.c TYPE_SLICE Case #136054
• [3.14] gh-136053: Check error for TYPE_SLICE in marshal.c (GH-136054) #136092