From 736b8012b42be24dd26b57bd443a576cc37c116c Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Mon, 29 Sep 2014 23:02:15 -0400 Subject: prevent overflow in unicode_repr (closes #22520) --- Misc/NEWS | 3 +++ Objects/unicodeobject.c | 28 +++++++++++++++++----------- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 890c251..1c2393c 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 3.3.6 release candidate 1? Core and Builtins ----------------- +- Issue #22520: Fix overflow checking when generating the repr of a unicode + object. + - Issue #22519: Fix overflow checking in PyBytes_Repr. - Issue #22518: Fix integer overflow issues in latin-1 encoding. diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 07832ba..1ce5caa 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -12000,28 +12000,34 @@ unicode_repr(PyObject *unicode) ikind = PyUnicode_KIND(unicode); for (i = 0; i < isize; i++) { Py_UCS4 ch = PyUnicode_READ(ikind, idata, i); + Py_ssize_t incr = 1; switch (ch) { - case '\'': squote++; osize++; break; - case '"': dquote++; osize++; break; + case '\'': squote++; break; + case '"': dquote++; break; case '\\': case '\t': case '\r': case '\n': - osize += 2; break; + incr = 2; + break; default: /* Fast-path ASCII */ if (ch < ' ' || ch == 0x7f) - osize += 4; /* \xHH */ + incr = 4; /* \xHH */ else if (ch < 0x7f) - osize++; - else if (Py_UNICODE_ISPRINTABLE(ch)) { - osize++; + ; + else if (Py_UNICODE_ISPRINTABLE(ch)) max = ch > max ? ch : max; - } else if (ch < 0x100) - osize += 4; /* \xHH */ + incr = 4; /* \xHH */ else if (ch < 0x10000) - osize += 6; /* \uHHHH */ + incr = 6; /* \uHHHH */ else - osize += 10; /* \uHHHHHHHH */ + incr = 10; /* \uHHHHHHHH */ + } + if (osize > PY_SSIZE_T_MAX - incr) { + PyErr_SetString(PyExc_OverflowError, + "string is too long to generate repr"); + return NULL; } + osize += incr; } quote = '\''; -- cgit v0.12