traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Issue #22518: Fixed integer overflow issues in "backslashreplace" and 

"xmlcharrefreplace" error handlers.
This commit is contained in:
Serhiy Storchaka 2014-10-04 14:14:41 +03:00
parent 52313d72fa
commit d524922bdc
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Misc/NEWS
View File

@ -10,6 +10,9 @@ What's New in Python 2.7.9?
Core and Builtins
-----------------
- Issue #22518: Fixed integer overflow issues in "backslashreplace" and
"xmlcharrefreplace" error handlers.
- Issue #22526: Fix iterating through files with lines longer than 2^31 bytes.
- Issue #22519: Fix overflow checking in PyString_Repr.

14
Python/codecs.c
View File

@ -558,7 +558,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
Py_UNICODE *startp;
Py_UNICODE *e;
Py_UNICODE *outp;
int ressize;
Py_ssize_t ressize;
if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL;
if (PyUnicodeEncodeError_GetEnd(exc, &end))
@ -566,6 +566,14 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL;
startp = PyUnicode_AS_UNICODE(object);
if (end - start > PY_SSIZE_T_MAX / (2+7+1)) {
end = start + PY_SSIZE_T_MAX / (2+7+1);
#ifndef Py_UNICODE_WIDE
ch = startp[end - 1];
if (0xD800 <= ch && ch <= 0xDBFF)
end--;
#endif
}
e = startp + end;
for (p = startp+start, ressize = 0; p < e;) {
Py_UCS4 ch = *p++;
@ -675,13 +683,15 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
Py_UNICODE *p;
Py_UNICODE *startp;
Py_UNICODE *outp;
int ressize;
Py_ssize_t ressize;
if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL;
if (PyUnicodeEncodeError_GetEnd(exc, &end))
return NULL;
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL;
if (end - start > PY_SSIZE_T_MAX / (1+1+8))
end = start + PY_SSIZE_T_MAX / (1+1+8);
startp = PyUnicode_AS_UNICODE(object);
for (p = startp+start, ressize = 0; p < startp+end; ++p) {
#ifdef Py_UNICODE_WIDE