fix possible overflow in encode_basestring_ascii (closes #23369)

This commit is contained in:
Benjamin Peterson 2015-02-01 17:53:53 -05:00
parent 4dbc305002
commit e3bfe19358
3 changed files with 25 additions and 5 deletions

View File

@ -1,5 +1,6 @@
from collections import OrderedDict
from test.test_json import PyTest, CTest
from test.support import bigaddrspacetest
CASES = [
@ -41,4 +42,10 @@ class TestEncodeBasestringAscii:
class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass
class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass
class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest):
@bigaddrspacetest
def test_overflow(self):
s = "\uffff"*((2**32)//6 + 1)
with self.assertRaises(OverflowError):
self.json.encoder.encode_basestring_ascii(s)

View File

@ -13,6 +13,12 @@ Core and Builtins
- Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis
and fix by Guido Vranken.
Library
-------
- Issue #23369: Fixed possible integer overflow in
_json.encode_basestring_ascii.
What's New in Python 3.3.6?
===========================

View File

@ -216,17 +216,24 @@ ascii_escape_unicode(PyObject *pystr)
/* Compute the output size */
for (i = 0, output_size = 2; i < input_chars; i++) {
Py_UCS4 c = PyUnicode_READ(kind, input, i);
if (S_CHAR(c))
output_size++;
Py_ssize_t d;
if (S_CHAR(c)) {
d = 1;
}
else {
switch(c) {
case '\\': case '"': case '\b': case '\f':
case '\n': case '\r': case '\t':
output_size += 2; break;
d = 2; break;
default:
output_size += c >= 0x10000 ? 12 : 6;
d = c >= 0x10000 ? 12 : 6;
}
}
if (output_size > PY_SSIZE_T_MAX - d) {
PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
return NULL;
}
output_size += d;
}
rval = PyUnicode_New(output_size, 127);