diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 11:14:41 (GMT) |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 11:14:41 (GMT) |
| commit | d524922bdc2b8db02df70ff10ccac0285dfa2014 (patch) | |
| tree | 4256e9c97411bbe91b82700b7a355612d39f48d8 | |
| parent | 52313d72faa199e2e40a3bd5e88fa0b5f5a0bc61 (diff) | |
| download | cpython-d524922bdc2b8db02df70ff10ccac0285dfa2014.zip cpython-d524922bdc2b8db02df70ff10ccac0285dfa2014.tar.gz cpython-d524922bdc2b8db02df70ff10ccac0285dfa2014.tar.bz2 | |
Issue #22518: Fixed integer overflow issues in "backslashreplace" and
"xmlcharrefreplace" error handlers.
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Python/codecs.c | 14 |
2 files changed, 15 insertions, 2 deletions
@@ -10,6 +10,9 @@ What's New in Python 2.7.9? Core and Builtins ----------------- +- Issue #22518: Fixed integer overflow issues in "backslashreplace" and + "xmlcharrefreplace" error handlers. + - Issue #22526: Fix iterating through files with lines longer than 2^31 bytes. - Issue #22519: Fix overflow checking in PyString_Repr. diff --git a/Python/codecs.c b/Python/codecs.c index 7d1145f..8b8c037 100644 --- a/Python/codecs.c +++ b/Python/codecs.c @@ -558,7 +558,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) Py_UNICODE *startp; Py_UNICODE *e; Py_UNICODE *outp; - int ressize; + Py_ssize_t ressize; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; if (PyUnicodeEncodeError_GetEnd(exc, &end)) @@ -566,6 +566,14 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; startp = PyUnicode_AS_UNICODE(object); + if (end - start > PY_SSIZE_T_MAX / (2+7+1)) { + end = start + PY_SSIZE_T_MAX / (2+7+1); +#ifndef Py_UNICODE_WIDE + ch = startp[end - 1]; + if (0xD800 <= ch && ch <= 0xDBFF) + end--; +#endif + } e = startp + end; for (p = startp+start, ressize = 0; p < e;) { Py_UCS4 ch = *p++; @@ -675,13 +683,15 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) Py_UNICODE *p; Py_UNICODE *startp; Py_UNICODE *outp; - int ressize; + Py_ssize_t ressize; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; if (PyUnicodeEncodeError_GetEnd(exc, &end)) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (1+1+8)) + end = start + PY_SSIZE_T_MAX / (1+1+8); startp = PyUnicode_AS_UNICODE(object); for (p = startp+start, ressize = 0; p < startp+end; ++p) { #ifdef Py_UNICODE_WIDE |