[Python-checkins] cpython (3.5): prevent integer overflow in escape_unicode (closes #24522)
benjamin.peterson
python-checkins at python.org
Sat Jun 27 22:01:21 CEST 2015
https://hg.python.org/cpython/rev/0540e14c4b64
changeset: 96693:0540e14c4b64
branch: 3.5
parent: 96690:bb8959d0540c
user: Benjamin Peterson <benjamin at python.org>
date: Sat Jun 27 15:01:51 2015 -0500
summary:
prevent integer overflow in escape_unicode (closes #24522)
files:
Misc/NEWS | 2 ++
Modules/_json.c | 12 +++++++++---
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -24,6 +24,8 @@
Library
-------
+- Issue #24522: Fix possible integer overflow in json accelerator module.
+
- Issue #24489: ensure a previously set C errno doesn't disturb cmath.polar().
- Issue #24408: Fixed AttributeError in measure() and metrics() methods of
diff --git a/Modules/_json.c b/Modules/_json.c
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -249,17 +249,23 @@
/* Compute the output size */
for (i = 0, output_size = 2; i < input_chars; i++) {
Py_UCS4 c = PyUnicode_READ(kind, input, i);
+ Py_ssize_t d;
switch (c) {
case '\\': case '"': case '\b': case '\f':
case '\n': case '\r': case '\t':
- output_size += 2;
+ d = 2;
break;
default:
if (c <= 0x1f)
- output_size += 6;
+ d = 6;
else
- output_size++;
+ d = 1;
}
+ if (output_size > PY_SSIZE_T_MAX - d) {
+ PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+ return NULL;
+ }
+ output_size += d;
}
rval = PyUnicode_New(output_size, maxchar);
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list