summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2014-09-30 03:02:15 (GMT)
committerBenjamin Peterson <benjamin@python.org>2014-09-30 03:02:15 (GMT)
commit736b8012b42be24dd26b57bd443a576cc37c116c (patch)
tree643d472cfd4a079ce9fd1fe86ac80198a1fafbcb
parentbbd0a323aeb1222d216fa10a9e1d9c91945ad1e6 (diff)
downloadcpython-736b8012b42be24dd26b57bd443a576cc37c116c.zip
cpython-736b8012b42be24dd26b57bd443a576cc37c116c.tar.gz
cpython-736b8012b42be24dd26b57bd443a576cc37c116c.tar.bz2
prevent overflow in unicode_repr (closes #22520)
-rw-r--r--Misc/NEWS3
-rw-r--r--Objects/unicodeobject.c28
2 files changed, 20 insertions, 11 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 890c251..1c2393c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.3.6 release candidate 1?
Core and Builtins
-----------------
+- Issue #22520: Fix overflow checking when generating the repr of a unicode
+ object.
+
- Issue #22519: Fix overflow checking in PyBytes_Repr.
- Issue #22518: Fix integer overflow issues in latin-1 encoding.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 07832ba..1ce5caa 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -12000,28 +12000,34 @@ unicode_repr(PyObject *unicode)
ikind = PyUnicode_KIND(unicode);
for (i = 0; i < isize; i++) {
Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
+ Py_ssize_t incr = 1;
switch (ch) {
- case '\'': squote++; osize++; break;
- case '"': dquote++; osize++; break;
+ case '\'': squote++; break;
+ case '"': dquote++; break;
case '\\': case '\t': case '\r': case '\n':
- osize += 2; break;
+ incr = 2;
+ break;
default:
/* Fast-path ASCII */
if (ch < ' ' || ch == 0x7f)
- osize += 4; /* \xHH */
+ incr = 4; /* \xHH */
else if (ch < 0x7f)
- osize++;
- else if (Py_UNICODE_ISPRINTABLE(ch)) {
- osize++;
+ ;
+ else if (Py_UNICODE_ISPRINTABLE(ch))
max = ch > max ? ch : max;
- }
else if (ch < 0x100)
- osize += 4; /* \xHH */
+ incr = 4; /* \xHH */
else if (ch < 0x10000)
- osize += 6; /* \uHHHH */
+ incr = 6; /* \uHHHH */
else
- osize += 10; /* \uHHHHHHHH */
+ incr = 10; /* \uHHHHHHHH */
+ }
+ if (osize > PY_SSIZE_T_MAX - incr) {
+ PyErr_SetString(PyExc_OverflowError,
+ "string is too long to generate repr");
+ return NULL;
}
+ osize += incr;
}
quote = '\'';