Issue #22518: Fixed integer overflow issues in "backslashreplace",

"xmlcharrefreplace", and "surrogatepass" error handlers.
author: Serhiy Storchaka <storchaka@gmail.com> 2014-10-04 14:17:50 +0300
committer: Serhiy Storchaka <storchaka@gmail.com> 2014-10-04 14:17:50 +0300
commit: 8d1e18ef1fe692f3b222b45e0f47236f65bbe24a (patch)
tree: 8c7627299f8c82b7affd6202f2ca727bf74682e6
parent: 90c24c42b2dc912c5b6b2e34d1d4a03a9a7de915 (diff)
parent: 2e374098ff791c81576ff2ba2961dc5011a693bf (diff)
download: cpython-git-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.tar.gz
2 files changed, 11 insertions, 2 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index b24e28dcd6..6decc6051e 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ Release date: TBA
 Core and Builtins
 -----------------
 
+- Issue #22518: Fixed integer overflow issues in "backslashreplace",
+  "xmlcharrefreplace", and "surrogatepass" error handlers.
+
 - Issue #22540: speed up `PyObject_IsInstance` and `PyObject_IsSubclass` in the
   common case that the second argument has metaclass `type`.
 
diff --git a/Python/codecs.c b/Python/codecs.c
index 02fce29561..151fea7d49 100644
--- a/Python/codecs.c
+++ b/Python/codecs.c
@@ -773,7 +773,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
         Py_UCS4 ch;
         if (PyUnicodeEncodeError_GetStart(exc, &start))
             return NULL;
@@ -781,6 +781,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
             return NULL;
         if (!(object = PyUnicodeEncodeError_GetObject(exc)))
             return NULL;
+        if (end - start > PY_SSIZE_T_MAX / (2+7+1))
+            end = start + PY_SSIZE_T_MAX / (2+7+1);
         for (i = start, ressize = 0; i < end; ++i) {
             /* object is guaranteed to be "ready" */
             ch = PyUnicode_READ_CHAR(object, i);
@@ -869,7 +871,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
         Py_UCS4 c;
         if (PyUnicodeEncodeError_GetStart(exc, &start))
             return NULL;
@@ -877,6 +879,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
             return NULL;
         if (!(object = PyUnicodeEncodeError_GetObject(exc)))
             return NULL;
+        if (end - start > PY_SSIZE_T_MAX / (1+1+8))
+            end = start + PY_SSIZE_T_MAX / (1+1+8);
         for (i = start, ressize = 0; i < end; ++i) {
             /* object is guaranteed to be "ready" */
             c = PyUnicode_READ_CHAR(object, i);
@@ -1036,6 +1040,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
             return NULL;
         }
 
+        if (end - start > PY_SSIZE_T_MAX / bytelength)
+            end = start + PY_SSIZE_T_MAX / bytelength;
         res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
         if (!res) {
             Py_DECREF(object);
author	Serhiy Storchaka <storchaka@gmail.com>	2014-10-04 14:17:50 +0300
committer	Serhiy Storchaka <storchaka@gmail.com>	2014-10-04 14:17:50 +0300
commit	8d1e18ef1fe692f3b222b45e0f47236f65bbe24a (patch)
tree	8c7627299f8c82b7affd6202f2ca727bf74682e6
parent	90c24c42b2dc912c5b6b2e34d1d4a03a9a7de915 (diff)
parent	2e374098ff791c81576ff2ba2961dc5011a693bf (diff)
download	cpython-git-8d1e18ef1fe692f3b222b45e0f47236f65bbe24a.tar.gz