fix possible overflow in encode_basestring_ascii (#23369)

04a53853 · Benjamin Peterson · 4ae4e7cb · 04a53853 · 04a53853
Commit 04a53853 authored Aug 13, 2016 by Benjamin Peterson
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

Misc/NEWS Misc/NEWS +3 -0

Modules/_json.c Modules/_json.c +4 -0

No files found.
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -29,6 +29,9 @@ Core and Builtins
 Library
 -------
+- Issue #23369: Fixed possible integer overflow in
+  _json.encode_basestring_ascii.
 - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the
  HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates
  that the script is in CGI mode.

--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -211,6 +211,10 @@ ascii_escape_unicode(PyObject *pystr)
    input_unicode = PyUnicode_AS_UNICODE(pystr);
    /* One char input can be up to 6 chars output, estimate 4 of these */
+    if (input_chars > (PY_SSIZE_T_MAX - 2)/ MAX_EXPANSION) {
+        PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+        return NULL;
+    }
    output_size = 2 + (MIN_EXPANSION * 4) + input_chars;
    max_output_size = 2 + (input_chars * MAX_EXPANSION);
    rval = PyString_FromStringAndSize(NULL, output_size);