[Python-checkins] cpython (2.7): fix possible overflow in encode_basestring_ascii (#23369)
benjamin.peterson
python-checkins at python.org
Sat Aug 13 19:48:38 EDT 2016
https://hg.python.org/cpython/rev/6fa0ebfdc136
changeset: 102635:6fa0ebfdc136
branch: 2.7
parent: 102632:b1e4c8a3e786
user: Benjamin Peterson <benjamin at python.org>
date: Sat Aug 13 16:47:25 2016 -0700
summary:
fix possible overflow in encode_basestring_ascii (#23369)
files:
Misc/NEWS | 3 +++
Modules/_json.c | 4 ++++
2 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,9 @@
Library
-------
+- Issue #23369: Fixed possible integer overflow in
+ _json.encode_basestring_ascii.
+
- Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
that the script is in CGI mode.
diff --git a/Modules/_json.c b/Modules/_json.c
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -211,6 +211,10 @@
input_unicode = PyUnicode_AS_UNICODE(pystr);
/* One char input can be up to 6 chars output, estimate 4 of these */
+ if (input_chars > (PY_SSIZE_T_MAX - 2)/ MAX_EXPANSION) {
+ PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+ return NULL;
+ }
output_size = 2 + (MIN_EXPANSION * 4) + input_chars;
max_output_size = 2 + (input_chars * MAX_EXPANSION);
rval = PyString_FromStringAndSize(NULL, output_size);
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list