diff options
author | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 11:17:50 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2014-10-04 11:17:50 (GMT) |
commit | 8d1e18ef1fe692f3b222b45e0f47236f65bbe24a (patch) | |
tree | 8c7627299f8c82b7affd6202f2ca727bf74682e6 /Python | |
parent | 90c24c42b2dc912c5b6b2e34d1d4a03a9a7de915 (diff) | |
parent | 2e374098ff791c81576ff2ba2961dc5011a693bf (diff) | |
download | cpython-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.zip cpython-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.tar.gz cpython-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.tar.bz2 |
Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.
Diffstat (limited to 'Python')
-rw-r--r-- | Python/codecs.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/Python/codecs.c b/Python/codecs.c index 02fce29..151fea7 100644 --- a/Python/codecs.c +++ b/Python/codecs.c @@ -773,7 +773,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; Py_UCS4 ch; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; @@ -781,6 +781,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (2+7+1)) + end = start + PY_SSIZE_T_MAX / (2+7+1); for (i = start, ressize = 0; i < end; ++i) { /* object is guaranteed to be "ready" */ ch = PyUnicode_READ_CHAR(object, i); @@ -869,7 +871,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; Py_UCS4 c; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; @@ -877,6 +879,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (1+1+8)) + end = start + PY_SSIZE_T_MAX / (1+1+8); for (i = start, ressize = 0; i < end; ++i) { /* object is guaranteed to be "ready" */ c = PyUnicode_READ_CHAR(object, i); @@ -1036,6 +1040,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc) return NULL; } + if (end - start > PY_SSIZE_T_MAX / bytelength) + end = start + PY_SSIZE_T_MAX / bytelength; res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start)); if (!res) { Py_DECREF(object); |