File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -10,6 +10,9 @@ What's New in Python 3.3.6?
1010Core and Builtins
1111-----------------
1212
13+ - Issue #22518: Fixed integer overflow issues in "backslashreplace",
14+ "xmlcharrefreplace", and "surrogatepass" error handlers.
15+
1316- Issue #22520: Fix overflow checking when generating the repr of a unicode
1417 object.
1518
Original file line number Diff line number Diff line change @@ -727,14 +727,16 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
727727 Py_ssize_t end ;
728728 PyObject * res ;
729729 unsigned char * outp ;
730- int ressize ;
730+ Py_ssize_t ressize ;
731731 Py_UCS4 ch ;
732732 if (PyUnicodeEncodeError_GetStart (exc , & start ))
733733 return NULL ;
734734 if (PyUnicodeEncodeError_GetEnd (exc , & end ))
735735 return NULL ;
736736 if (!(object = PyUnicodeEncodeError_GetObject (exc )))
737737 return NULL ;
738+ if (end - start > PY_SSIZE_T_MAX / (2 + 7 + 1 ))
739+ end = start + PY_SSIZE_T_MAX / (2 + 7 + 1 );
738740 for (i = start , ressize = 0 ; i < end ; ++ i ) {
739741 /* object is guaranteed to be "ready" */
740742 ch = PyUnicode_READ_CHAR (object , i );
@@ -823,14 +825,16 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
823825 Py_ssize_t end ;
824826 PyObject * res ;
825827 unsigned char * outp ;
826- int ressize ;
828+ Py_ssize_t ressize ;
827829 Py_UCS4 c ;
828830 if (PyUnicodeEncodeError_GetStart (exc , & start ))
829831 return NULL ;
830832 if (PyUnicodeEncodeError_GetEnd (exc , & end ))
831833 return NULL ;
832834 if (!(object = PyUnicodeEncodeError_GetObject (exc )))
833835 return NULL ;
836+ if (end - start > PY_SSIZE_T_MAX / (1 + 1 + 8 ))
837+ end = start + PY_SSIZE_T_MAX / (1 + 1 + 8 );
834838 for (i = start , ressize = 0 ; i < end ; ++ i ) {
835839 /* object is guaranteed to be "ready" */
836840 c = PyUnicode_READ_CHAR (object , i );
You can’t perform that action at this time.
0 commit comments