[Python-checkins] cpython: Issue #19676: Fixed integer overflow issue in "namereplace" error handler.
serhiy.storchaka
python-checkins at python.org
Wed Nov 26 11:14:10 CET 2014
https://hg.python.org/cpython/rev/21d1571c0533
changeset: 93597:21d1571c0533
parent: 93592:81b5268efff6
user: Serhiy Storchaka <storchaka at gmail.com>
date: Wed Nov 26 12:11:40 2014 +0200
summary:
Issue #19676: Fixed integer overflow issue in "namereplace" error handler.
files:
Python/codecs.c | 16 +++++++++++-----
1 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/Python/codecs.c b/Python/codecs.c
--- a/Python/codecs.c
+++ b/Python/codecs.c
@@ -947,7 +947,8 @@
Py_ssize_t end;
PyObject *res;
unsigned char *outp;
- int ressize;
+ Py_ssize_t ressize;
+ int replsize;
Py_UCS4 c;
char buffer[256]; /* NAME_MAXLEN */
if (PyUnicodeEncodeError_GetStart(exc, &start))
@@ -967,17 +968,21 @@
c = PyUnicode_READ_CHAR(object, i);
if (ucnhash_CAPI &&
ucnhash_CAPI->getname(NULL, c, buffer, sizeof(buffer), 1)) {
- ressize += 1+1+1+strlen(buffer)+1;
+ replsize = 1+1+1+strlen(buffer)+1;
}
else if (c >= 0x10000) {
- ressize += 1+1+8;
+ replsize = 1+1+8;
}
else if (c >= 0x100) {
- ressize += 1+1+4;
+ replsize = 1+1+4;
}
else
- ressize += 1+1+2;
+ replsize = 1+1+2;
+ if (ressize > PY_SSIZE_T_MAX - replsize)
+ break;
+ ressize += replsize;
}
+ end = i;
res = PyUnicode_New(ressize, 127);
if (res==NULL)
return NULL;
@@ -1014,6 +1019,7 @@
*outp++ = Py_hexdigits[c&0xf];
}
+ assert(out == start + ressize);
assert(_PyUnicode_CheckConsistency(res, 1));
restuple = Py_BuildValue("(Nn)", res, end);
Py_DECREF(object);
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list