gh-151046: Fix use-after-free in _Unpickler_ReadIntoFromFile

When unpickling from a file-like object that provides readinto(), the C
Unpickler handed it a temporary memoryview over an internal buffer and never
released it. A readinto() implementation that kept a reference to the view
could read or write the buffer after it had been freed, a use-after-free
reachable from pure Python.

Keep an owned reference across the call and release the memoryview as soon as
readinto() returns, so a surviving reference raises ValueError instead of
dereferencing freed memory. Add a regression test.

Author: tonghuaroot

Lib/test/test_pickle.py

@@ -382,6 +382,53 @@ class CUnpicklerTests(PyUnpicklerTests):
         truncated_data_error = (pickle.UnpicklingError, 'truncated')
         size_overflow_error = (OverflowError, 'exceeds')
 
+        def test_readinto_does_not_keep_buffer_alive(self):
+            # The C unpickler hands readinto() a temporary memoryview over an
+            # internal buffer that does not outlive the unpickling operation.
+            # A readinto() implementation that keeps a reference to that view
+            # must not be able to read or write the buffer after readinto()
+            # returns: the view is released, so using it raises ValueError
+            # rather than accessing freed memory.
+            stashed = []
+
+            class StashingFile:
+                def __init__(self, data):
+                    self._data = memoryview(data)
+                    self._pos = 0
+
+                def read(self, n=-1):
+                    if n is None or n < 0:
+                        chunk = self._data[self._pos:]
+                    else:
+                        chunk = self._data[self._pos:self._pos + n]
+                    self._pos += len(chunk)
+                    return bytes(chunk)
+
+                def readline(self):
+                    return self.read(-1)
+
+                def readinto(self, view):
+                    stashed.append(view)
+                    n = min(len(view), len(self._data) - self._pos)
+                    view[:n] = self._data[self._pos:self._pos + n]
+                    self._pos += n
+                    return n
+
+            # A large bytes object forces the file-read (readinto) path.
+            payload = b'spam' * 100_000
+            data = pickle.dumps(payload, protocol=4)
+            obj = self.unpickler(StashingFile(data)).load()
+            self.assertEqual(obj, payload)
+
+            self.assertTrue(stashed)
+            for view in stashed:
+                with self.assertRaises(ValueError):
+                    view[0]
+                with self.assertRaises(ValueError):
+                    view[0] = 0
+                with self.assertRaises(ValueError):
+                    bytes(view)
+
     class CPicklingErrorTests(PyPicklingErrorTests):
         pickler = _pickle.Pickler
 

Misc/NEWS.d/next/Library/2026-06-07-23-45-00.gh-issue-151046.S6dZlz.rst

@@ -0,0 +1,7 @@
+Fix a use-after-free in the C implementation of :mod:`pickle`. When
+unpickling from a file-like object that provides ``readinto()``, the
+:class:`~pickle.Unpickler` passed it a temporary :class:`memoryview` over an
+internal buffer. A ``readinto()`` implementation that kept a reference to that
+view could use it to read or write the buffer after it had been freed. The
+view is now released as soon as ``readinto()`` returns, so a surviving
+reference raises :exc:`ValueError` instead of accessing freed memory.

Modules/_pickle.c

@@ -1283,6 +1283,32 @@ _Unpickler_SkipConsumed(UnpicklerObject *self)
 
 static const Py_ssize_t READ_WHOLE_LINE = -1;
 
+/* Release the temporary memoryview that was handed to a readinto() call and
+   drop our reference to it.  Releasing it severs the link between the view and
+   the underlying buffer, so a reference retained by readinto() can no longer be
+   used to read or write the (soon to be freed) buffer.  Returns 0 on success,
+   -1 if the view could not be released (for example because readinto() exported
+   the buffer and still holds it); in that case an exception is set.  Any
+   exception already pending when this is called is preserved. */
+static int
+_Unpickler_ReleaseBufObj(PyObject *buf_obj)
+{
+    PyObject *exc = PyErr_GetRaisedException();
+    PyObject *res = PyObject_CallMethodNoArgs(buf_obj, &_Py_ID(release));
+    int err = (res == NULL) ? -1 : 0;
+    Py_XDECREF(res);
+    if (exc != NULL) {
+        /* Keep the original error; ignore any error from release(). */
+        if (err < 0) {
+            PyErr_Clear();
+        }
+        PyErr_SetRaisedException(exc);
+        err = 0;
+    }
+    Py_DECREF(buf_obj);
+    return err;
+}
+
 /* Don't call it directly: use _Unpickler_ReadInto() */
 static Py_ssize_t
 _Unpickler_ReadIntoFromFile(PickleState *state, UnpicklerObject *self, char *buf,
@@ -1318,17 +1344,32 @@ _Unpickler_ReadIntoFromFile(PickleState *state, UnpicklerObject *self, char *buf
         return n;
     }
 
-    /* Call readinto() into user buffer */
+    /* Call readinto() into user buffer.
+
+       buf points into a temporary buffer (e.g. a bytes object on the
+       unpickler stack) that does not outlive this unpickling operation.  We
+       wrap it in a memoryview only so we can hand it to readinto(); a buggy or
+       hostile readinto() implementation may keep a reference to that view.
+       Release the view as soon as readinto() returns so that any surviving
+       reference can no longer dereference buf: using it then raises a clean
+       Python exception instead of accessing freed memory. */
     PyObject *buf_obj = PyMemoryView_FromMemory(buf, n, PyBUF_WRITE);
     if (buf_obj == NULL) {
         return -1;
     }
-    PyObject *read_size_obj = _Pickle_FastCall(self->readinto, buf_obj);
+    /* Keep our own reference across the call (PyObject_CallOneArg does not
+       steal it) so that we can release the view afterwards regardless of what
+       readinto() does with the object it receives. */
+    PyObject *read_size_obj = PyObject_CallOneArg(self->readinto, buf_obj);
     if (read_size_obj == NULL) {
+        _Unpickler_ReleaseBufObj(buf_obj);
         return -1;
     }
     Py_ssize_t read_size = PyLong_AsSsize_t(read_size_obj);
     Py_DECREF(read_size_obj);
+    if (_Unpickler_ReleaseBufObj(buf_obj) < 0) {
+        return -1;
+    }
 
     if (read_size < 0) {
         if (!PyErr_Occurred()) {