[issue14579] Vulnerability in the utf-16 decoder after error handling

Serhiy Storchaka report at bugs.python.org
Fri Apr 20 13:43:35 CEST 2012

Serhiy Storchaka <storchaka at gmail.com> added the comment:

> So this adjustment is necessary because the *input* may change in the callback,
> not because the output may change. So the comment in decode_utf8_errors seems
> just as wrong.

You're right, and my eyes in a lather. Now I saw it.

What you have to offer any comment? If someone would correct a comment
for decode_utf8_errors, I just copied it.

> Why this is relevant to this issue, is unclear to me, though: the ignore handler
> doesn't modify the input object.

I first got the crash using a custom handler, and then I saw that
"ignore" handler is enough. Even if the "ignore" handler does not have
to change the input object, other handlers can do it and this is the
reason for the crash remains.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list