[New-bugs-announce] [issue22518] integer overflow in encoding unicode
paul
report at bugs.python.org
Mon Sep 29 23:01:25 CEST 2014
New submission from paul:
# static PyObject *
# unicode_encode_ucs1(PyObject *unicode,
# const char *errors,
# unsigned int limit)
# {
# ...
# while (pos < size) {
# ...
# case 4: /* xmlcharrefreplace */
# /* determine replacement size */
# for (i = collstart, repsize = 0; i < collend; ++i) {
# Py_UCS4 ch = PyUnicode_READ(kind, data, i);
# ...
# else if (ch < 100000)
# 1 repsize += 2+5+1;
# ...
# }
# 2 requiredsize = respos+repsize+(size-collend);
# if (requiredsize > ressize) {
# ...
# if (_PyBytes_Resize(&res, requiredsize))
# ...
# }
# /* generate replacement */
# for (i = collstart; i < collend; ++i) {
# 3 str += sprintf(str, "&#%d;", PyUnicode_READ(kind, data, i));
# }
#
# 1. ch=0xffff<100000, so repsize = (number of unicode chars in string)*8
# =2^29*2^3=2^32 == 0 (mod 2^32)
# 2. respos==0, collend==0, so requiredsize=repsize==0, so the destination buffer
# isn't resized
# 3. overwrite
----------
files: poc_encode_latin1.py
messages: 227837
nosy: pkt
priority: normal
severity: normal
status: open
title: integer overflow in encoding unicode
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file36754/poc_encode_latin1.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22518>
_______________________________________
More information about the New-bugs-announce
mailing list