diff options
| author |   Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 14:15:49 +0300 |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 14:15:49 +0300 |
| commit | 4b1681832b8d16fefc73917b5fddff46e5f4c447 (patch) | |
| tree | 22b6beec1b90ee6c222fdd820035f61de153b33a | |
| parent | Bump to 3.3.6rc1 (diff) | |
| download | cpython-3.3.6rc1.tar.gz cpython-3.3.6rc1.tar.bz2 cpython-3.3.6rc1.zip | |
Issue #22518: Fixed integer overflow issues in "backslashreplace",v3.3.6rc1
"xmlcharrefreplace", and "surrogatepass" error handlers.
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Python/codecs.c | 8 |
2 files changed, 9 insertions, 2 deletions
diff --git a/Misc/NEWS b/Misc/NEWS index c0046ce3e50..8fbf58bd666 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 3.3.6? Core and Builtins ----------------- +- Issue #22518: Fixed integer overflow issues in "backslashreplace", + "xmlcharrefreplace", and "surrogatepass" error handlers. + - Issue #22520: Fix overflow checking when generating the repr of a unicode object. diff --git a/Python/codecs.c b/Python/codecs.c index 0b736c1715b..ea33c49f209 100644 --- a/Python/codecs.c +++ b/Python/codecs.c @@ -727,7 +727,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; Py_UCS4 ch; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; @@ -735,6 +735,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (2+7+1)) + end = start + PY_SSIZE_T_MAX / (2+7+1); for (i = start, ressize = 0; i < end; ++i) { /* object is guaranteed to be "ready" */ ch = PyUnicode_READ_CHAR(object, i); @@ -823,7 +825,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; Py_UCS4 c; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; @@ -831,6 +833,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (1+1+8)) + end = start + PY_SSIZE_T_MAX / (1+1+8); for (i = start, ressize = 0; i < end; ++i) { /* object is guaranteed to be "ready" */ c = PyUnicode_READ_CHAR(object, i); |