changeset: 92639:0ddc5fc5f395 parent: 92634:f86fde20e9ce parent: 92638:ed31cdf11ac2 user: Benjamin Peterson date: Mon Sep 29 19:11:05 2014 -0400 files: Misc/NEWS Objects/bytesobject.c description: merge 3.4 (#22519) diff -r f86fde20e9ce -r 0ddc5fc5f395 Misc/NEWS --- a/Misc/NEWS Mon Sep 29 18:53:58 2014 -0400 +++ b/Misc/NEWS Mon Sep 29 19:11:05 2014 -0400 @@ -10,6 +10,8 @@ Core and Builtins ----------------- +- Issue #22519: Fix overflow checking in PyBytes_Repr. + - Issue #22518: Fix integer overflow issues in latin-1 encoding. - Issue #16324: _charset parameter of MIMEText now also accepts diff -r f86fde20e9ce -r 0ddc5fc5f395 Objects/bytesobject.c --- a/Objects/bytesobject.c Mon Sep 29 18:53:58 2014 -0400 +++ b/Objects/bytesobject.c Mon Sep 29 19:11:05 2014 -0400 @@ -629,28 +629,27 @@ newsize = 3; /* b'' */ s = (unsigned char*)op->ob_sval; for (i = 0; i < length; i++) { + Py_ssize_t incr = 1; switch(s[i]) { - case '\'': squotes++; newsize++; break; - case '"': dquotes++; newsize++; break; + case '\'': squotes++; break; + case '"': dquotes++; break; case '\\': case '\t': case '\n': case '\r': - newsize += 2; break; /* \C */ + incr = 2; break; /* \C */ default: if (s[i] < ' ' || s[i] >= 0x7f) - newsize += 4; /* \xHH */ - else - newsize++; + incr = 4; /* \xHH */ } + if (newsize > PY_SSIZE_T_MAX - incr) + goto overflow; + newsize += incr; } quote = '\''; if (smartquotes && squotes && !dquotes) quote = '"'; - if (squotes && quote == '\'') + if (squotes && quote == '\'') { + if (newsize > PY_SSIZE_T_MAX - squotes) + goto overflow; newsize += squotes; - - if (newsize > (PY_SSIZE_T_MAX - sizeof(PyUnicodeObject) - 1)) { - PyErr_SetString(PyExc_OverflowError, - "bytes object is too large to make repr"); - return NULL; } v = PyUnicode_New(newsize, 127); @@ -682,6 +681,11 @@ *p++ = quote; assert(_PyUnicode_CheckConsistency(v, 1)); return v; + + overflow: + PyErr_SetString(PyExc_OverflowError, + "bytes object is too large to make repr"); + return NULL; } static PyObject *