[Python-checkins] r52423 - in python/branches/release23-maint: Misc/NEWS Objects/unicodeobject.c
anthony.baxter
python-checkins at python.org
Mon Oct 23 17:23:23 CEST 2006
Author: anthony.baxter
Date: Mon Oct 23 17:23:22 2006
New Revision: 52423
Modified:
python/branches/release23-maint/Misc/NEWS
python/branches/release23-maint/Objects/unicodeobject.c
Log:
patch for PSF-2006-001.
Modified: python/branches/release23-maint/Misc/NEWS
==============================================================================
--- python/branches/release23-maint/Misc/NEWS (original)
+++ python/branches/release23-maint/Misc/NEWS Mon Oct 23 17:23:22 2006
@@ -4,26 +4,22 @@
(editors: check NEWS.help for information about editing NEWS using ReST.)
-What's New in Python 2.3.6rc1?
-==============================
+What's New in Python 2.3.6c1?
+=============================
-*Release date: XX-XXX-200X*
+*Release date: 25-OCT-2006*
-Extension modules
+Core and builtins
-----------------
-- Apply fix for potential heap overflow in PCRE code (CAN-2005-2491).
-
-
-What's New in Python 2.3.5?
-==============================
-
-*Release date: 08-FEB-2005*
+- Patch #1541585: fix buffer overrun when performing repr() on
+ a unicode string in a build with wide unicode (UCS-4) support.
+ This is the problem described in security advisory PSF-2006-001.
-Core and builtins
+Extension modules
-----------------
-- Partially revert the fix for #1074011; don't try to fflush stdin anymore.
+- Apply fix for potential heap overflow in PCRE code (CAN-2005-2491).
Library
-------
@@ -40,6 +36,19 @@
Also, whereas % values were decoded in all parameter continuations, they are
now only decoded in encoded parameter parts.
+What's New in Python 2.3.5?
+==============================
+
+*Release date: 08-FEB-2005*
+
+Core and builtins
+-----------------
+
+- Partially revert the fix for #1074011; don't try to fflush stdin anymore.
+
+Library
+-------
+
- Applied a security fix to SimpleXMLRPCserver (PSF-2005-001). This
disables recursive traversal through instance attributes, which can
be exploited in various ways.
Modified: python/branches/release23-maint/Objects/unicodeobject.c
==============================================================================
--- python/branches/release23-maint/Objects/unicodeobject.c (original)
+++ python/branches/release23-maint/Objects/unicodeobject.c Mon Oct 23 17:23:22 2006
@@ -1888,7 +1888,28 @@
static const char *hexdigit = "0123456789abcdef";
- repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
+ /* Initial allocation is based on the longest-possible unichr
+ escape.
+
+ In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
+ unichr, so in this case it's the longest unichr escape. In
+ narrow (UTF-16) builds this is five chars per source unichr
+ since there are two unichrs in the surrogate pair, so in narrow
+ (UTF-16) builds it's not the longest unichr escape.
+
+ In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
+ so in the narrow (UTF-16) build case it's the longest unichr
+ escape.
+ */
+
+ repr = PyString_FromStringAndSize(NULL,
+ 2
+#ifdef Py_UNICODE_WIDE
+ + 10*size
+#else
+ + 6*size
+#endif
+ + 1);
if (repr == NULL)
return NULL;
@@ -1913,15 +1934,6 @@
#ifdef Py_UNICODE_WIDE
/* Map 21-bit characters to '\U00xxxxxx' */
else if (ch >= 0x10000) {
- int offset = p - PyString_AS_STRING(repr);
-
- /* Resize the string if necessary */
- if (offset + 12 > PyString_GET_SIZE(repr)) {
- if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
- return NULL;
- p = PyString_AS_STRING(repr) + offset;
- }
-
*p++ = '\\';
*p++ = 'U';
*p++ = hexdigit[(ch >> 28) & 0x0000000F];
@@ -1934,8 +1946,8 @@
*p++ = hexdigit[ch & 0x0000000F];
continue;
}
-#endif
- /* Map UTF-16 surrogate pairs to Unicode \UXXXXXXXX escapes */
+#else
+ /* Map UTF-16 surrogate pairs to '\U00xxxxxx' */
else if (ch >= 0xD800 && ch < 0xDC00) {
Py_UNICODE ch2;
Py_UCS4 ucs;
@@ -1960,6 +1972,7 @@
s--;
size++;
}
+#endif
/* Map 16-bit characters to '\uxxxx' */
if (ch >= 256) {
More information about the Python-checkins
mailing list