Skip to content

C
cpython
Commit d524922b authored by Serhiy Storchaka's avatar Serhiy Storchaka
Browse files
Options

Issue #22518: Fixed integer overflow issues in "backslashreplace" and 

"xmlcharrefreplace" error handlers.
parent 52313d72
Show whitespace changes
Inline Side-by-side
Showing with 15 additions and 2 deletions
Misc/NEWS
View file @ d524922b
...@@ -10,6 +10,9 @@ What's New in Python 2.7.9? ...@@ -10,6 +10,9 @@ What's New in Python 2.7.9?
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #22518: Fixed integer overflow issues in "backslashreplace" and
"xmlcharrefreplace" error handlers.
- Issue #22526: Fix iterating through files with lines longer than 2^31 bytes. - Issue #22526: Fix iterating through files with lines longer than 2^31 bytes.
- Issue #22519: Fix overflow checking in PyString_Repr. - Issue #22519: Fix overflow checking in PyString_Repr.
......
Python/codecs.c
View file @ d524922b
...@@ -558,7 +558,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) ...@@ -558,7 +558,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
Py_UNICODE *startp; Py_UNICODE *startp;
Py_UNICODE *e; Py_UNICODE *e;
Py_UNICODE *outp; Py_UNICODE *outp;
int ressize; Py_ssize_t ressize;
if (PyUnicodeEncodeError_GetStart(exc, &start)) if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL; return NULL;
if (PyUnicodeEncodeError_GetEnd(exc, &end)) if (PyUnicodeEncodeError_GetEnd(exc, &end))
...@@ -566,6 +566,14 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc) ...@@ -566,6 +566,14 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
if (!(object = PyUnicodeEncodeError_GetObject(exc))) if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL; return NULL;
startp = PyUnicode_AS_UNICODE(object); startp = PyUnicode_AS_UNICODE(object);
if (end - start > PY_SSIZE_T_MAX / (2+7+1)) {
end = start + PY_SSIZE_T_MAX / (2+7+1);
#ifndef Py_UNICODE_WIDE
ch = startp[end - 1];
if (0xD800 <= ch && ch <= 0xDBFF)
end--;
#endif
}
e = startp + end; e = startp + end;
for (p = startp+start, ressize = 0; p < e;) { for (p = startp+start, ressize = 0; p < e;) {
Py_UCS4 ch = *p++; Py_UCS4 ch = *p++;
...@@ -675,13 +683,15 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc) ...@@ -675,13 +683,15 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
Py_UNICODE *p; Py_UNICODE *p;
Py_UNICODE *startp; Py_UNICODE *startp;
Py_UNICODE *outp; Py_UNICODE *outp;
int ressize; Py_ssize_t ressize;
if (PyUnicodeEncodeError_GetStart(exc, &start)) if (PyUnicodeEncodeError_GetStart(exc, &start))
return NULL; return NULL;
if (PyUnicodeEncodeError_GetEnd(exc, &end)) if (PyUnicodeEncodeError_GetEnd(exc, &end))
return NULL; return NULL;
if (!(object = PyUnicodeEncodeError_GetObject(exc))) if (!(object = PyUnicodeEncodeError_GetObject(exc)))
return NULL; return NULL;
if (end - start > PY_SSIZE_T_MAX / (1+1+8))
end = start + PY_SSIZE_T_MAX / (1+1+8);
startp = PyUnicode_AS_UNICODE(object); startp = PyUnicode_AS_UNICODE(object);
for (p = startp+start, ressize = 0; p < startp+end; ++p) { for (p = startp+start, ressize = 0; p < startp+end; ++p) {
#ifdef Py_UNICODE_WIDE #ifdef Py_UNICODE_WIDE
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7