diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 11:15:49 (GMT) |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 11:15:49 (GMT) |
| commit | 4b1681832b8d16fefc73917b5fddff46e5f4c447 (patch) | |
| tree | 22b6beec1b90ee6c222fdd820035f61de153b33a | |
| parent | 76e73f85a3a9d7d4210f45ac020c5e5ce5323d80 (diff) | |
| download | cpython-4b1681832b8d16fefc73917b5fddff46e5f4c447.zip cpython-4b1681832b8d16fefc73917b5fddff46e5f4c447.tar.gz cpython-4b1681832b8d16fefc73917b5fddff46e5f4c447.tar.bz2 | |
Issue #22518: Fixed integer overflow issues in "backslashreplace",v3.3.6rc1
"xmlcharrefreplace", and "surrogatepass" error handlers.
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Python/codecs.c | 8 |
2 files changed, 9 insertions, 2 deletions
@@ -10,6 +10,9 @@ What's New in Python 3.3.6? Core and Builtins ----------------- +- Issue #22518: Fixed integer overflow issues in "backslashreplace", + "xmlcharrefreplace", and "surrogatepass" error handlers. + - Issue #22520: Fix overflow checking when generating the repr of a unicode object. diff --git a/Python/codecs.c b/Python/codecs.c index 0b736c1..ea33c49 100644 --- a/Python/codecs.c +++ b/Python/codecs.c @@ -727,7 +727,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; Py_UCS4 ch; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; @@ -735,6 +735,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (2+7+1)) + end = start + PY_SSIZE_T_MAX / (2+7+1); for (i = start, ressize = 0; i < end; ++i) { /* object is guaranteed to be "ready" */ ch = PyUnicode_READ_CHAR(object, i); @@ -823,7 +825,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; Py_UCS4 c; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; @@ -831,6 +833,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (1+1+8)) + end = start + PY_SSIZE_T_MAX / (1+1+8); for (i = start, ressize = 0; i < end; ++i) { /* object is guaranteed to be "ready" */ c = PyUnicode_READ_CHAR(object, i); |