Merged revisions 65147 via svnmerge from

benjaminp · benjaminp · commit 7af6eec6d05e · 2008-07-19T22:26:35.000Z
svn+ssh://pythondev@svn.python.org/python/trunk ........ r65147 | bob.ippolito | 2008-07-19 16:59:50 -0500 (Sat, 19 Jul 2008) | 1 line #3322: bounds checking for _json.scanstring ........
diff --git a/Modules/_json.c b/Modules/_json.c
@@ -236,6 +236,10 @@ scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict)
     if (chunks == NULL) {
         goto bail;
     }
+    if (end < 0 || len <= end) {
+        PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+        goto bail;
+    }
     while (1) {
         /* Find the end of the string or the next escape */
         Py_UNICODE c = 0;
@@ -246,7 +250,7 @@ scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict)
                 break;
             }
             else if (strict && c <= 0x1f) {
-                raise_errmsg("Invalid control character at", pystr, begin);
+                raise_errmsg("Invalid control character at", pystr, next);
                 goto bail;
             }
         }
@@ -401,6 +405,10 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)
     if (chunks == NULL) {
         goto bail;
     }
+    if (end < 0 || len <= end) {
+        PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+        goto bail;
+    }
     while (1) {
         /* Find the end of the string or the next escape */
         Py_UNICODE c = 0;
@@ -411,7 +419,7 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)
                 break;
             }
             else if (strict && c <= 0x1f) {
-                raise_errmsg("Invalid control character at", pystr, begin);
+                raise_errmsg("Invalid control character at", pystr, next);
                 goto bail;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -236,6 +236,10 @@ scanstring_str(PyObject pystr, Py_ssize_t end, char encoding, int strict)`
`236`	`236`	`if (chunks == NULL) {`
`237`	`237`	`goto bail;`
`238`	`238`	`}`
	`239`	`+ if (end < 0 \|\| len <= end) {`
	`240`	`+ PyErr_SetString(PyExc_ValueError, "end is out of bounds");`
	`241`	`+ goto bail;`
	`242`	`+ }`
`239`	`243`	`while (1) {`
`240`	`244`	`/* Find the end of the string or the next escape */`
`241`	`245`	`Py_UNICODE c = 0;`
`@@ -246,7 +250,7 @@ scanstring_str(PyObject pystr, Py_ssize_t end, char encoding, int strict)`
`246`	`250`	`break;`
`247`	`251`	`}`
`248`	`252`	`else if (strict && c <= 0x1f) {`
`249`		`- raise_errmsg("Invalid control character at", pystr, begin);`
	`253`	`+ raise_errmsg("Invalid control character at", pystr, next);`
`250`	`254`	`goto bail;`
`251`	`255`	`}`
`252`	`256`	`}`
`@@ -401,6 +405,10 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)`
`401`	`405`	`if (chunks == NULL) {`
`402`	`406`	`goto bail;`
`403`	`407`	`}`
	`408`	`+ if (end < 0 \|\| len <= end) {`
	`409`	`+ PyErr_SetString(PyExc_ValueError, "end is out of bounds");`
	`410`	`+ goto bail;`
	`411`	`+ }`
`404`	`412`	`while (1) {`
`405`	`413`	`/* Find the end of the string or the next escape */`
`406`	`414`	`Py_UNICODE c = 0;`
`@@ -411,7 +419,7 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)`
`411`	`419`	`break;`
`412`	`420`	`}`
`413`	`421`	`else if (strict && c <= 0x1f) {`
`414`		`- raise_errmsg("Invalid control character at", pystr, begin);`
	`422`	`+ raise_errmsg("Invalid control character at", pystr, next);`
`415`	`423`	`goto bail;`
`416`	`424`	`}`
`417`	`425`	`}`