diff options
author | Benjamin Peterson <benjamin@python.org> | 2014-09-29 23:09:49 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2014-09-29 23:09:49 (GMT) |
commit | 18f836fb658a5a545e8f9e3c72751759836322f8 (patch) | |
tree | ddd8a04150cd5e71559ba0b3bf71e57b09ca7912 | |
parent | 2b76ce6d27c5395d88e7aef3a2bab811afc5d8cb (diff) | |
parent | 42ff105539bedfeb8e9a8cb9b8133ac15e027e6f (diff) | |
download | cpython-18f836fb658a5a545e8f9e3c72751759836322f8.zip cpython-18f836fb658a5a545e8f9e3c72751759836322f8.tar.gz cpython-18f836fb658a5a545e8f9e3c72751759836322f8.tar.bz2 |
merge 3.3 (closes #22519)
-rw-r--r-- | Misc/NEWS | 2 | ||||
-rw-r--r-- | Objects/bytesobject.c | 28 |
2 files changed, 18 insertions, 12 deletions
@@ -9,6 +9,8 @@ What's New in Python 3.4.3? Core and Builtins ----------------- +- Issue #22519: Fix overflow checking in PyBytes_Repr. + - Issue #22518: Fix integer overflow issues in latin-1 encoding. Library diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index b93b9ef..6eb61e3 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -603,28 +603,27 @@ PyBytes_Repr(PyObject *obj, int smartquotes) newsize = 3; /* b'' */ s = (unsigned char*)op->ob_sval; for (i = 0; i < length; i++) { + Py_ssize_t incr = 1; switch(s[i]) { - case '\'': squotes++; newsize++; break; - case '"': dquotes++; newsize++; break; + case '\'': squotes++; break; + case '"': dquotes++; break; case '\\': case '\t': case '\n': case '\r': - newsize += 2; break; /* \C */ + incr = 2; break; /* \C */ default: if (s[i] < ' ' || s[i] >= 0x7f) - newsize += 4; /* \xHH */ - else - newsize++; + incr = 4; /* \xHH */ } + if (newsize > PY_SSIZE_T_MAX - incr) + goto overflow; + newsize += incr; } quote = '\''; if (smartquotes && squotes && !dquotes) quote = '"'; - if (squotes && quote == '\'') + if (squotes && quote == '\'') { + if (newsize > PY_SSIZE_T_MAX - squotes) + goto overflow; newsize += squotes; - - if (newsize > (PY_SSIZE_T_MAX - sizeof(PyUnicodeObject) - 1)) { - PyErr_SetString(PyExc_OverflowError, - "bytes object is too large to make repr"); - return NULL; } v = PyUnicode_New(newsize, 127); @@ -656,6 +655,11 @@ PyBytes_Repr(PyObject *obj, int smartquotes) *p++ = quote; assert(_PyUnicode_CheckConsistency(v, 1)); return v; + + overflow: + PyErr_SetString(PyExc_OverflowError, + "bytes object is too large to make repr"); + return NULL; } static PyObject * |