diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2014-11-26 12:11:40 +0200 |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2014-11-26 12:11:40 +0200 |
| commit | aacfcccdc39b074521d3e5d4b5a1b1e020662366 (patch) | |
| tree | 05bd095a05568fb97d53ff8df7e4020beb2ad2e9 /Python/codecs.c | |
| parent | 8dcaa4b1c6d98797120ce0a96d458f923505418d (diff) | |
| download | cpython-git-aacfcccdc39b074521d3e5d4b5a1b1e020662366.tar.gz | |
Issue #19676: Fixed integer overflow issue in "namereplace" error handler.
Diffstat (limited to 'Python/codecs.c')
| -rw-r--r-- | Python/codecs.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/Python/codecs.c b/Python/codecs.c index b09ea3a28f..8ffa80b213 100644 --- a/Python/codecs.c +++ b/Python/codecs.c @@ -947,7 +947,8 @@ PyObject *PyCodec_NameReplaceErrors(PyObject *exc) Py_ssize_t end; PyObject *res; unsigned char *outp; - int ressize; + Py_ssize_t ressize; + int replsize; Py_UCS4 c; char buffer[256]; /* NAME_MAXLEN */ if (PyUnicodeEncodeError_GetStart(exc, &start)) @@ -967,17 +968,21 @@ PyObject *PyCodec_NameReplaceErrors(PyObject *exc) c = PyUnicode_READ_CHAR(object, i); if (ucnhash_CAPI && ucnhash_CAPI->getname(NULL, c, buffer, sizeof(buffer), 1)) { - ressize += 1+1+1+strlen(buffer)+1; + replsize = 1+1+1+strlen(buffer)+1; } else if (c >= 0x10000) { - ressize += 1+1+8; + replsize = 1+1+8; } else if (c >= 0x100) { - ressize += 1+1+4; + replsize = 1+1+4; } else - ressize += 1+1+2; + replsize = 1+1+2; + if (ressize > PY_SSIZE_T_MAX - replsize) + break; + ressize += replsize; } + end = i; res = PyUnicode_New(ressize, 127); if (res==NULL) return NULL; @@ -1014,6 +1019,7 @@ PyObject *PyCodec_NameReplaceErrors(PyObject *exc) *outp++ = Py_hexdigits[c&0xf]; } + assert(out == start + ressize); assert(_PyUnicode_CheckConsistency(res, 1)); restuple = Py_BuildValue("(Nn)", res, end); Py_DECREF(object); |