diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2022-05-02 09:37:48 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-02 09:37:48 (GMT) |
| commit | 18b07d773e09a2719e69aeaa925d5abb7ba0c068 (patch) | |
| tree | 24e00867bcd614057ca886b2e977153d6168fa59 /Objects/stringlib | |
| parent | 614420df9796c8a4f01e24052fc0128b4c20c5bf (diff) | |
| download | cpython-18b07d773e09a2719e69aeaa925d5abb7ba0c068.zip cpython-18b07d773e09a2719e69aeaa925d5abb7ba0c068.tar.gz cpython-18b07d773e09a2719e69aeaa925d5abb7ba0c068.tar.bz2 | |
bpo-36819: Fix crashes in built-in encoders with weird error handlers (GH-28593)
If the error handler returns position less or equal than the starting
position of non-encodable characters, most of built-in encoders didn't
properly re-size the output buffer. This led to out-of-bounds writes,
and segfaults.
Diffstat (limited to 'Objects/stringlib')
| -rw-r--r-- | Objects/stringlib/codecs.h | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/Objects/stringlib/codecs.h b/Objects/stringlib/codecs.h index b17cda1..958cc86 100644 --- a/Objects/stringlib/codecs.h +++ b/Objects/stringlib/codecs.h @@ -387,8 +387,19 @@ STRINGLIB(utf8_encoder)(_PyBytesWriter *writer, if (!rep) goto error; - /* subtract preallocated bytes */ - writer->min_size -= max_char_size * (newpos - startpos); + if (newpos < startpos) { + writer->overallocate = 1; + p = _PyBytesWriter_Prepare(writer, p, + max_char_size * (startpos - newpos)); + if (p == NULL) + goto error; + } + else { + /* subtract preallocated bytes */ + writer->min_size -= max_char_size * (newpos - startpos); + /* Only overallocate the buffer if it's not the last write */ + writer->overallocate = (newpos < size); + } if (PyBytes_Check(rep)) { p = _PyBytesWriter_WriteBytes(writer, p, |