Skip to content

C
cpython
Commit 8d1e18ef authored by Serhiy Storchaka's avatar Serhiy Storchaka
Browse files
Options

Issue #22518: Fixed integer overflow issues in "backslashreplace", 

"xmlcharrefreplace", and "surrogatepass" error handlers.
parents 90c24c42 2e374098
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 2 deletions
Misc/NEWS
View file @ 8d1e18ef
...@@ -10,6 +10,9 @@ Release date: TBA ...@@ -10,6 +10,9 @@ Release date: TBA
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.
- Issue #22540: speed up `PyObject_IsInstance` and `PyObject_IsSubclass` in the - Issue #22540: speed up `PyObject_IsInstance` and `PyObject_IsSubclass` in the
common case that the second argument has metaclass `type`. common case that the second argument has metaclass `type`.
......
Python/codecs.c
View file @ 8d1e18ef
...@@ -773,7 +773,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) ...@@ -773,7 +773,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
Py_ssize_t end; Py_ssize_t end;
PyObject *res; PyObject *res;
unsigned char *outp; unsigned char *outp;
int ressize; Py_ssize_t ressize;
Py_UCS4 ch; Py_UCS4 ch;
if (PyUnicodeEncodeError_GetStart(exc, &start)) if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL; return NULL;
...@@ -781,6 +781,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) ...@@ -781,6 +781,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
return NULL; return NULL;
if (!(object = PyUnicodeEncodeError_GetObject(exc))) if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL; return NULL;
if (end - start > PY_SSIZE_T_MAX / (2+7+1))
end = start + PY_SSIZE_T_MAX / (2+7+1);
for (i = start, ressize = 0; i < end; ++i) { for (i = start, ressize = 0; i < end; ++i) {
/* object is guaranteed to be "ready" */ /* object is guaranteed to be "ready" */
ch = PyUnicode_READ_CHAR(object, i); ch = PyUnicode_READ_CHAR(object, i);
...@@ -869,7 +871,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) ...@@ -869,7 +871,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
Py_ssize_t end; Py_ssize_t end;
PyObject *res; PyObject *res;
unsigned char *outp; unsigned char *outp;
int ressize; Py_ssize_t ressize;
Py_UCS4 c; Py_UCS4 c;
if (PyUnicodeEncodeError_GetStart(exc, &start)) if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL; return NULL;
...@@ -877,6 +879,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) ...@@ -877,6 +879,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
return NULL; return NULL;
if (!(object = PyUnicodeEncodeError_GetObject(exc))) if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL; return NULL;
if (end - start > PY_SSIZE_T_MAX / (1+1+8))
end = start + PY_SSIZE_T_MAX / (1+1+8);
for (i = start, ressize = 0; i < end; ++i) { for (i = start, ressize = 0; i < end; ++i) {
/* object is guaranteed to be "ready" */ /* object is guaranteed to be "ready" */
c = PyUnicode_READ_CHAR(object, i); c = PyUnicode_READ_CHAR(object, i);
...@@ -1036,6 +1040,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc) ...@@ -1036,6 +1040,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
return NULL; return NULL;
} }
if (end - start > PY_SSIZE_T_MAX / bytelength)
end = start + PY_SSIZE_T_MAX / bytelength;
res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start)); res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
if (!res) { if (!res) {
Py_DECREF(object); Py_DECREF(object);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7