summaryrefslogtreecommitdiffstats
path: root/Python
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2014-10-04 11:17:50 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2014-10-04 11:17:50 (GMT)
commit8d1e18ef1fe692f3b222b45e0f47236f65bbe24a (patch)
tree8c7627299f8c82b7affd6202f2ca727bf74682e6 /Python
parent90c24c42b2dc912c5b6b2e34d1d4a03a9a7de915 (diff)
parent2e374098ff791c81576ff2ba2961dc5011a693bf (diff)
downloadcpython-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.zip
cpython-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.tar.gz
cpython-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.tar.bz2
Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.
Diffstat (limited to 'Python')
-rw-r--r--Python/codecs.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/Python/codecs.c b/Python/codecs.c
index 02fce29..151fea7 100644
--- a/Python/codecs.c
+++ b/Python/codecs.c
@@ -773,7 +773,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
Py_ssize_t end;
PyObject *res;
unsigned char *outp;
- int ressize;
+ Py_ssize_t ressize;
Py_UCS4 ch;
if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL;
@@ -781,6 +781,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
return NULL;
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL;
+ if (end - start > PY_SSIZE_T_MAX / (2+7+1))
+ end = start + PY_SSIZE_T_MAX / (2+7+1);
for (i = start, ressize = 0; i < end; ++i) {
/* object is guaranteed to be "ready" */
ch = PyUnicode_READ_CHAR(object, i);
@@ -869,7 +871,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
Py_ssize_t end;
PyObject *res;
unsigned char *outp;
- int ressize;
+ Py_ssize_t ressize;
Py_UCS4 c;
if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL;
@@ -877,6 +879,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
return NULL;
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL;
+ if (end - start > PY_SSIZE_T_MAX / (1+1+8))
+ end = start + PY_SSIZE_T_MAX / (1+1+8);
for (i = start, ressize = 0; i < end; ++i) {
/* object is guaranteed to be "ready" */
c = PyUnicode_READ_CHAR(object, i);
@@ -1036,6 +1040,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
return NULL;
}
+ if (end - start > PY_SSIZE_T_MAX / bytelength)
+ end = start + PY_SSIZE_T_MAX / bytelength;
res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
if (!res) {
Py_DECREF(object);