From e3bfe19358f9d6747676fcdb9af415972d276671 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sun, 1 Feb 2015 17:53:53 -0500 Subject: [PATCH] fix possible overflow in encode_basestring_ascii (closes #23369) --- .../test_json/test_encode_basestring_ascii.py | 9 ++++++++- Misc/NEWS | 6 ++++++ Modules/_json.c | 15 +++++++++++---- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/Lib/test/test_json/test_encode_basestring_ascii.py b/Lib/test/test_json/test_encode_basestring_ascii.py index 480afd686e4..3c014d327c1 100644 --- a/Lib/test/test_json/test_encode_basestring_ascii.py +++ b/Lib/test/test_json/test_encode_basestring_ascii.py @@ -1,5 +1,6 @@ from collections import OrderedDict from test.test_json import PyTest, CTest +from test.support import bigaddrspacetest CASES = [ @@ -41,4 +42,10 @@ class TestEncodeBasestringAscii: class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass -class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass +class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): + @bigaddrspacetest + def test_overflow(self): + s = "\uffff"*((2**32)//6 + 1) + with self.assertRaises(OverflowError): + self.json.encoder.encode_basestring_ascii(s) + diff --git a/Misc/NEWS b/Misc/NEWS index b203462fea9..b69955aa61a 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,12 @@ Core and Builtins - Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis and fix by Guido Vranken. +Library +------- + +- Issue #23369: Fixed possible integer overflow in + _json.encode_basestring_ascii. + What's New in Python 3.3.6? =========================== diff --git a/Modules/_json.c b/Modules/_json.c index 4bc585dc2ab..397037e56b9 100644 --- a/Modules/_json.c +++ b/Modules/_json.c @@ -216,17 +216,24 @@ ascii_escape_unicode(PyObject *pystr) /* Compute the output size */ for (i = 0, output_size = 2; i < input_chars; i++) { Py_UCS4 c = PyUnicode_READ(kind, input, i); - if (S_CHAR(c)) - output_size++; + Py_ssize_t d; + if (S_CHAR(c)) { + d = 1; + } else { switch(c) { case '\\': case '"': case '\b': case '\f': case '\n': case '\r': case '\t': - output_size += 2; break; + d = 2; break; default: - output_size += c >= 0x10000 ? 12 : 6; + d = c >= 0x10000 ? 12 : 6; } } + if (output_size > PY_SSIZE_T_MAX - d) { + PyErr_SetString(PyExc_OverflowError, "string is too long to escape"); + return NULL; + } + output_size += d; } rval = PyUnicode_New(output_size, 127);