fix possible overflow in encode_basestring_ascii (closes #23369)
This commit is contained in:
parent
4dbc305002
commit
e3bfe19358
|
@ -1,5 +1,6 @@
|
|||
from collections import OrderedDict
|
||||
from test.test_json import PyTest, CTest
|
||||
from test.support import bigaddrspacetest
|
||||
|
||||
|
||||
CASES = [
|
||||
|
@ -41,4 +42,10 @@ class TestEncodeBasestringAscii:
|
|||
|
||||
|
||||
class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass
|
||||
class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass
|
||||
class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest):
|
||||
@bigaddrspacetest
|
||||
def test_overflow(self):
|
||||
s = "\uffff"*((2**32)//6 + 1)
|
||||
with self.assertRaises(OverflowError):
|
||||
self.json.encoder.encode_basestring_ascii(s)
|
||||
|
||||
|
|
|
@ -13,6 +13,12 @@ Core and Builtins
|
|||
- Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis
|
||||
and fix by Guido Vranken.
|
||||
|
||||
Library
|
||||
-------
|
||||
|
||||
- Issue #23369: Fixed possible integer overflow in
|
||||
_json.encode_basestring_ascii.
|
||||
|
||||
|
||||
What's New in Python 3.3.6?
|
||||
===========================
|
||||
|
|
|
@ -216,17 +216,24 @@ ascii_escape_unicode(PyObject *pystr)
|
|||
/* Compute the output size */
|
||||
for (i = 0, output_size = 2; i < input_chars; i++) {
|
||||
Py_UCS4 c = PyUnicode_READ(kind, input, i);
|
||||
if (S_CHAR(c))
|
||||
output_size++;
|
||||
Py_ssize_t d;
|
||||
if (S_CHAR(c)) {
|
||||
d = 1;
|
||||
}
|
||||
else {
|
||||
switch(c) {
|
||||
case '\\': case '"': case '\b': case '\f':
|
||||
case '\n': case '\r': case '\t':
|
||||
output_size += 2; break;
|
||||
d = 2; break;
|
||||
default:
|
||||
output_size += c >= 0x10000 ? 12 : 6;
|
||||
d = c >= 0x10000 ? 12 : 6;
|
||||
}
|
||||
}
|
||||
if (output_size > PY_SSIZE_T_MAX - d) {
|
||||
PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
|
||||
return NULL;
|
||||
}
|
||||
output_size += d;
|
||||
}
|
||||
|
||||
rval = PyUnicode_New(output_size, 127);
|
||||
|
|
Loading…
Reference in New Issue