Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8d1e18e

Browse files
serhiy-storchakaserhiy-storchaka
committed
Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.
2 parents 90c24c4 + 2e37409 commit 8d1e18e

2 files changed

Lines changed: 11 additions & 2 deletions

File tree

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ Release date: TBA
1010
Core and Builtins
1111
-----------------
1212

13+
- Issue #22518: Fixed integer overflow issues in "backslashreplace",
14+
"xmlcharrefreplace", and "surrogatepass" error handlers.
15+
1316
- Issue #22540: speed up `PyObject_IsInstance` and `PyObject_IsSubclass` in the
1417
common case that the second argument has metaclass `type`.
1518

Python/codecs.c

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -773,14 +773,16 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
773773
Py_ssize_t end;
774774
PyObject *res;
775775
unsigned char *outp;
776-
int ressize;
776+
Py_ssize_t ressize;
777777
Py_UCS4 ch;
778778
if (PyUnicodeEncodeError_GetStart(exc, &start))
779779
return NULL;
780780
if (PyUnicodeEncodeError_GetEnd(exc, &end))
781781
return NULL;
782782
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
783783
return NULL;
784+
if (end - start > PY_SSIZE_T_MAX / (2+7+1))
785+
end = start + PY_SSIZE_T_MAX / (2+7+1);
784786
for (i = start, ressize = 0; i < end; ++i) {
785787
/* object is guaranteed to be "ready" */
786788
ch = PyUnicode_READ_CHAR(object, i);
@@ -869,14 +871,16 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
869871
Py_ssize_t end;
870872
PyObject *res;
871873
unsigned char *outp;
872-
int ressize;
874+
Py_ssize_t ressize;
873875
Py_UCS4 c;
874876
if (PyUnicodeEncodeError_GetStart(exc, &start))
875877
return NULL;
876878
if (PyUnicodeEncodeError_GetEnd(exc, &end))
877879
return NULL;
878880
if (!(object = PyUnicodeEncodeError_GetObject(exc)))
879881
return NULL;
882+
if (end - start > PY_SSIZE_T_MAX / (1+1+8))
883+
end = start + PY_SSIZE_T_MAX / (1+1+8);
880884
for (i = start, ressize = 0; i < end; ++i) {
881885
/* object is guaranteed to be "ready" */
882886
c = PyUnicode_READ_CHAR(object, i);
@@ -1036,6 +1040,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
10361040
return NULL;
10371041
}
10381042

1043+
if (end - start > PY_SSIZE_T_MAX / bytelength)
1044+
end = start + PY_SSIZE_T_MAX / bytelength;
10391045
res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
10401046
if (!res) {
10411047
Py_DECREF(object);

0 commit comments

Comments
 (0)