@@ -773,14 +773,16 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
773773 Py_ssize_t end ;
774774 PyObject * res ;
775775 unsigned char * outp ;
776- int ressize ;
776+ Py_ssize_t ressize ;
777777 Py_UCS4 ch ;
778778 if (PyUnicodeEncodeError_GetStart (exc , & start ))
779779 return NULL ;
780780 if (PyUnicodeEncodeError_GetEnd (exc , & end ))
781781 return NULL ;
782782 if (!(object = PyUnicodeEncodeError_GetObject (exc )))
783783 return NULL ;
784+ if (end - start > PY_SSIZE_T_MAX / (2 + 7 + 1 ))
785+ end = start + PY_SSIZE_T_MAX / (2 + 7 + 1 );
784786 for (i = start , ressize = 0 ; i < end ; ++ i ) {
785787 /* object is guaranteed to be "ready" */
786788 ch = PyUnicode_READ_CHAR (object , i );
@@ -869,14 +871,16 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
869871 Py_ssize_t end ;
870872 PyObject * res ;
871873 unsigned char * outp ;
872- int ressize ;
874+ Py_ssize_t ressize ;
873875 Py_UCS4 c ;
874876 if (PyUnicodeEncodeError_GetStart (exc , & start ))
875877 return NULL ;
876878 if (PyUnicodeEncodeError_GetEnd (exc , & end ))
877879 return NULL ;
878880 if (!(object = PyUnicodeEncodeError_GetObject (exc )))
879881 return NULL ;
882+ if (end - start > PY_SSIZE_T_MAX / (1 + 1 + 8 ))
883+ end = start + PY_SSIZE_T_MAX / (1 + 1 + 8 );
880884 for (i = start , ressize = 0 ; i < end ; ++ i ) {
881885 /* object is guaranteed to be "ready" */
882886 c = PyUnicode_READ_CHAR (object , i );
@@ -1023,6 +1027,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
10231027 code = get_standard_encoding (encoding , & bytelength );
10241028 Py_DECREF (encode );
10251029
1030+ if (end - start > PY_SSIZE_T_MAX / bytelength )
1031+ end = start + PY_SSIZE_T_MAX / bytelength ;
10261032 res = PyBytes_FromStringAndSize (NULL , bytelength * (end - start ));
10271033 if (!res ) {
10281034 Py_DECREF (object );
0 commit comments