summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Misc/NEWS2
-rw-r--r--Objects/bytesobject.c28
2 files changed, 18 insertions, 12 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 034c72d..0df6679 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,8 @@ What's New in Python 3.3.6 release candidate 1?
Core and Builtins
-----------------
+- Issue #22519: Fix overflow checking in PyBytes_Repr.
+
- Issue #22518: Fix integer overflow issues in latin-1 encoding.
Library
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index f6d16da..cad22c8 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -593,28 +593,27 @@ PyBytes_Repr(PyObject *obj, int smartquotes)
newsize = 3; /* b'' */
s = (unsigned char*)op->ob_sval;
for (i = 0; i < length; i++) {
+ Py_ssize_t incr = 1;
switch(s[i]) {
- case '\'': squotes++; newsize++; break;
- case '"': dquotes++; newsize++; break;
+ case '\'': squotes++; break;
+ case '"': dquotes++; break;
case '\\': case '\t': case '\n': case '\r':
- newsize += 2; break; /* \C */
+ incr = 2; break; /* \C */
default:
if (s[i] < ' ' || s[i] >= 0x7f)
- newsize += 4; /* \xHH */
- else
- newsize++;
+ incr = 4; /* \xHH */
}
+ if (newsize > PY_SSIZE_T_MAX - incr)
+ goto overflow;
+ newsize += incr;
}
quote = '\'';
if (smartquotes && squotes && !dquotes)
quote = '"';
- if (squotes && quote == '\'')
+ if (squotes && quote == '\'') {
+ if (newsize > PY_SSIZE_T_MAX - squotes)
+ goto overflow;
newsize += squotes;
-
- if (newsize > (PY_SSIZE_T_MAX - sizeof(PyUnicodeObject) - 1)) {
- PyErr_SetString(PyExc_OverflowError,
- "bytes object is too large to make repr");
- return NULL;
}
v = PyUnicode_New(newsize, 127);
@@ -646,6 +645,11 @@ PyBytes_Repr(PyObject *obj, int smartquotes)
*p++ = quote;
assert(_PyUnicode_CheckConsistency(v, 1));
return v;
+
+ overflow:
+ PyErr_SetString(PyExc_OverflowError,
+ "bytes object is too large to make repr");
+ return NULL;
}
static PyObject *