Commit cd8d8dab authored by Benjamin Peterson's avatar Benjamin Peterson

fix overflow checking in PyBytes_Repr (closes #22519)

parent 42378992
...@@ -10,6 +10,8 @@ What's New in Python 3.3.6 release candidate 1? ...@@ -10,6 +10,8 @@ What's New in Python 3.3.6 release candidate 1?
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #22519: Fix overflow checking in PyBytes_Repr.
- Issue #22518: Fix integer overflow issues in latin-1 encoding. - Issue #22518: Fix integer overflow issues in latin-1 encoding.
Library Library
......
...@@ -593,28 +593,27 @@ PyBytes_Repr(PyObject *obj, int smartquotes) ...@@ -593,28 +593,27 @@ PyBytes_Repr(PyObject *obj, int smartquotes)
newsize = 3; /* b'' */ newsize = 3; /* b'' */
s = (unsigned char*)op->ob_sval; s = (unsigned char*)op->ob_sval;
for (i = 0; i < length; i++) { for (i = 0; i < length; i++) {
Py_ssize_t incr = 1;
switch(s[i]) { switch(s[i]) {
case '\'': squotes++; newsize++; break; case '\'': squotes++; break;
case '"': dquotes++; newsize++; break; case '"': dquotes++; break;
case '\\': case '\t': case '\n': case '\r': case '\\': case '\t': case '\n': case '\r':
newsize += 2; break; /* \C */ incr = 2; break; /* \C */
default: default:
if (s[i] < ' ' || s[i] >= 0x7f) if (s[i] < ' ' || s[i] >= 0x7f)
newsize += 4; /* \xHH */ incr = 4; /* \xHH */
else
newsize++;
} }
if (newsize > PY_SSIZE_T_MAX - incr)
goto overflow;
newsize += incr;
} }
quote = '\''; quote = '\'';
if (smartquotes && squotes && !dquotes) if (smartquotes && squotes && !dquotes)
quote = '"'; quote = '"';
if (squotes && quote == '\'') if (squotes && quote == '\'') {
if (newsize > PY_SSIZE_T_MAX - squotes)
goto overflow;
newsize += squotes; newsize += squotes;
if (newsize > (PY_SSIZE_T_MAX - sizeof(PyUnicodeObject) - 1)) {
PyErr_SetString(PyExc_OverflowError,
"bytes object is too large to make repr");
return NULL;
} }
v = PyUnicode_New(newsize, 127); v = PyUnicode_New(newsize, 127);
...@@ -646,6 +645,11 @@ PyBytes_Repr(PyObject *obj, int smartquotes) ...@@ -646,6 +645,11 @@ PyBytes_Repr(PyObject *obj, int smartquotes)
*p++ = quote; *p++ = quote;
assert(_PyUnicode_CheckConsistency(v, 1)); assert(_PyUnicode_CheckConsistency(v, 1));
return v; return v;
overflow:
PyErr_SetString(PyExc_OverflowError,
"bytes object is too large to make repr");
return NULL;
} }
static PyObject * static PyObject *
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment