Pickletools doesn't error on EXT4 negative argument

[Legoclones]

Bug report

Bug description:

All extension codes must be positive (enforced when using copyreg.add_extension and in both pickle.py and _pickle.c implementations), but pickletools doesn't throw an error if EXT4 has a negative argument.

I can make a pull request to change the argument from int4 to uint4, but that means pickletools accepts extension codes that are 0x7fffffff or higher, while pickle.py and _pickle.c don't. I could also change those modules so they process the 4 bytes as unsigned also, if no one has any objections to that.

CPython versions tested on:

3.11

Operating systems tested on:

Linux

[serhiy-storchaka]

I think that it is not an issue that pickletools is more lenient than pickle.

[Legoclones]

@serhiy-storchaka Okay, that's fine. I've been doing some research into discrepancies between the 3 pickle implementations so that reverse engineering/identifying malicious pickles has less holes that someone could abuse. I've reported a number of them already across my various issues and I have a few more still. A lot of them are edge cases that are hard to detect and require custom pickles, but I figured it's better to report them and have us decide it's not worth it to fix than not report it and it's something you all would like us to change.

I have also been going opcode by opcode and writing my own supplements to the "documentation" (documentation meaning the code comments in pickletools), and I'll also make an issue/pull request here soon with a bunch of updates to correct, modify, or add to the documentation.

As for this specific EXT4 issue, if we don't care that pickletools is more lenient than others I'll go ahead and close the issue.