Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2e37409

Browse files
Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.
1 parent 518e71b commit 2e37409

2 files changed

Lines changed: 11 additions & 2 deletions

File tree

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ What's New in Python 3.4.3?
99
Core and Builtins
1010
-----------------
1111

12+
- Issue #22518: Fixed integer overflow issues in "backslashreplace",
13+
"xmlcharrefreplace", and "surrogatepass" error handlers.
14+
1215
- Issue #22520: Fix overflow checking when generating the repr of a unicode
1316
object.
1417

Python/codecs.c

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -773,14 +773,16 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
773773
Py_ssize_t end;
774774
PyObject *res;
775775
unsigned char *outp;
776-
int ressize;
776+
Py_ssize_t ressize;
777777
Py_UCS4 ch;
778778
if (PyUnicodeEncodeError_GetStart(exc, &start))
779779
return NULL;
780780
if (PyUnicodeEncodeError_GetEnd(exc, &end))
781781
return NULL;
782782
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
783783
return NULL;
784+
if (end - start > PY_SSIZE_T_MAX / (2+7+1))
785+
end = start + PY_SSIZE_T_MAX / (2+7+1);
784786
for (i = start, ressize = 0; i < end; ++i) {
785787
/* object is guaranteed to be "ready" */
786788
ch = PyUnicode_READ_CHAR(object, i);
@@ -869,14 +871,16 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
869871
Py_ssize_t end;
870872
PyObject *res;
871873
unsigned char *outp;
872-
int ressize;
874+
Py_ssize_t ressize;
873875
Py_UCS4 c;
874876
if (PyUnicodeEncodeError_GetStart(exc, &start))
875877
return NULL;
876878
if (PyUnicodeEncodeError_GetEnd(exc, &end))
877879
return NULL;
878880
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
879881
return NULL;
882+
if (end - start > PY_SSIZE_T_MAX / (1+1+8))
883+
end = start + PY_SSIZE_T_MAX / (1+1+8);
880884
for (i = start, ressize = 0; i < end; ++i) {
881885
/* object is guaranteed to be "ready" */
882886
c = PyUnicode_READ_CHAR(object, i);
@@ -1023,6 +1027,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
10231027
code = get_standard_encoding(encoding, &bytelength);
10241028
Py_DECREF(encode);
10251029

1030+
if (end - start > PY_SSIZE_T_MAX / bytelength)
1031+
end = start + PY_SSIZE_T_MAX / bytelength;
10261032
res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
10271033
if (!res) {
10281034
Py_DECREF(object);

0 commit comments

Comments
 (0)