summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2014-09-29 23:09:49 (GMT)
committerBenjamin Peterson <benjamin@python.org>2014-09-29 23:09:49 (GMT)
commit18f836fb658a5a545e8f9e3c72751759836322f8 (patch)
treeddd8a04150cd5e71559ba0b3bf71e57b09ca7912
parent2b76ce6d27c5395d88e7aef3a2bab811afc5d8cb (diff)
parent42ff105539bedfeb8e9a8cb9b8133ac15e027e6f (diff)
downloadcpython-18f836fb658a5a545e8f9e3c72751759836322f8.zip
cpython-18f836fb658a5a545e8f9e3c72751759836322f8.tar.gz
cpython-18f836fb658a5a545e8f9e3c72751759836322f8.tar.bz2
merge 3.3 (closes #22519)
-rw-r--r--Misc/NEWS2
-rw-r--r--Objects/bytesobject.c28
2 files changed, 18 insertions, 12 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 3d13192..6eb64f9 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -9,6 +9,8 @@ What's New in Python 3.4.3?
Core and Builtins
-----------------
+- Issue #22519: Fix overflow checking in PyBytes_Repr.
+
- Issue #22518: Fix integer overflow issues in latin-1 encoding.
Library
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index b93b9ef..6eb61e3 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -603,28 +603,27 @@ PyBytes_Repr(PyObject *obj, int smartquotes)
newsize = 3; /* b'' */
s = (unsigned char*)op->ob_sval;
for (i = 0; i < length; i++) {
+ Py_ssize_t incr = 1;
switch(s[i]) {
- case '\'': squotes++; newsize++; break;
- case '"': dquotes++; newsize++; break;
+ case '\'': squotes++; break;
+ case '"': dquotes++; break;
case '\\': case '\t': case '\n': case '\r':
- newsize += 2; break; /* \C */
+ incr = 2; break; /* \C */
default:
if (s[i] < ' ' || s[i] >= 0x7f)
- newsize += 4; /* \xHH */
- else
- newsize++;
+ incr = 4; /* \xHH */
}
+ if (newsize > PY_SSIZE_T_MAX - incr)
+ goto overflow;
+ newsize += incr;
}
quote = '\'';
if (smartquotes && squotes && !dquotes)
quote = '"';
- if (squotes && quote == '\'')
+ if (squotes && quote == '\'') {
+ if (newsize > PY_SSIZE_T_MAX - squotes)
+ goto overflow;
newsize += squotes;
-
- if (newsize > (PY_SSIZE_T_MAX - sizeof(PyUnicodeObject) - 1)) {
- PyErr_SetString(PyExc_OverflowError,
- "bytes object is too large to make repr");
- return NULL;
}
v = PyUnicode_New(newsize, 127);
@@ -656,6 +655,11 @@ PyBytes_Repr(PyObject *obj, int smartquotes)
*p++ = quote;
assert(_PyUnicode_CheckConsistency(v, 1));
return v;
+
+ overflow:
+ PyErr_SetString(PyExc_OverflowError,
+ "bytes object is too large to make repr");
+ return NULL;
}
static PyObject *