Merged revisions 65147 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk

........
  r65147 | bob.ippolito | 2008-07-19 16:59:50 -0500 (Sat, 19 Jul 2008) | 1 line

  #3322: bounds checking for _json.scanstring
........

1 files changed, 10 insertions, 2 deletions

diff --git a/Modules/_json.c b/Modules/_json.c
index a4308fd..1cf1e63 100644
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -236,6 +236,10 @@ scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict)
     if (chunks == NULL) {
         goto bail;
     }
+    if (end < 0 || len <= end) {
+        PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+        goto bail;
+    }
     while (1) {
         /* Find the end of the string or the next escape */
         Py_UNICODE c = 0;
@@ -246,7 +250,7 @@ scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict)
                 break;
             }
             else if (strict && c <= 0x1f) {
-                raise_errmsg("Invalid control character at", pystr, begin);
+                raise_errmsg("Invalid control character at", pystr, next);
                 goto bail;
             }
         }
@@ -401,6 +405,10 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)
     if (chunks == NULL) {
         goto bail;
     }
+    if (end < 0 || len <= end) {
+        PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+        goto bail;
+    }
     while (1) {
         /* Find the end of the string or the next escape */
         Py_UNICODE c = 0;
@@ -411,7 +419,7 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)
                 break;
             }
             else if (strict && c <= 0x1f) {
-                raise_errmsg("Invalid control character at", pystr, begin);
+                raise_errmsg("Invalid control character at", pystr, next);
                 goto bail;
             }
         }