diff options
author | Benjamin Peterson <benjamin@python.org> | 2015-02-01 22:53:53 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2015-02-01 22:53:53 (GMT) |
commit | e3bfe19358f9d6747676fcdb9af415972d276671 (patch) | |
tree | 5af2f199c00afdfc3c1ebc3c9f4fb10dbc2f68c3 /Modules | |
parent | 4dbc30500218204eace01fa4d429f3087df5376f (diff) | |
download | cpython-e3bfe19358f9d6747676fcdb9af415972d276671.zip cpython-e3bfe19358f9d6747676fcdb9af415972d276671.tar.gz cpython-e3bfe19358f9d6747676fcdb9af415972d276671.tar.bz2 |
fix possible overflow in encode_basestring_ascii (closes #23369)
Diffstat (limited to 'Modules')
-rw-r--r-- | Modules/_json.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/Modules/_json.c b/Modules/_json.c index 4bc585d..397037e 100644 --- a/Modules/_json.c +++ b/Modules/_json.c @@ -216,17 +216,24 @@ ascii_escape_unicode(PyObject *pystr) /* Compute the output size */ for (i = 0, output_size = 2; i < input_chars; i++) { Py_UCS4 c = PyUnicode_READ(kind, input, i); - if (S_CHAR(c)) - output_size++; + Py_ssize_t d; + if (S_CHAR(c)) { + d = 1; + } else { switch(c) { case '\\': case '"': case '\b': case '\f': case '\n': case '\r': case '\t': - output_size += 2; break; + d = 2; break; default: - output_size += c >= 0x10000 ? 12 : 6; + d = c >= 0x10000 ? 12 : 6; } } + if (output_size > PY_SSIZE_T_MAX - d) { + PyErr_SetString(PyExc_OverflowError, "string is too long to escape"); + return NULL; + } + output_size += d; } rval = PyUnicode_New(output_size, 127); |