changeset:   94278:1cd68b3c46aa
parent:      94276:dd8a03e98158
parent:      94277:2de90090e486
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Mon Jan 26 01:24:31 2015 +0200
files:       Misc/NEWS Objects/unicodeobject.c
description:
Issue #23321: Fixed a crash in str.decode() when error handler returned
replacment string longer than mailformed input data.


diff -r dd8a03e98158 -r 1cd68b3c46aa Misc/NEWS
--- a/Misc/NEWS	Sun Jan 25 22:56:57 2015 +0200
+++ b/Misc/NEWS	Mon Jan 26 01:24:31 2015 +0200
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #23321: Fixed a crash in str.decode() when error handler returned
+  replacment string longer than mailformed input data.
+
 - Issue #22286: The "backslashreplace" error handlers now works with
   decoding and translating.
 
diff -r dd8a03e98158 -r 1cd68b3c46aa Objects/unicodeobject.c
--- a/Objects/unicodeobject.c	Sun Jan 25 22:56:57 2015 +0200
+++ b/Objects/unicodeobject.c	Mon Jan 26 01:24:31 2015 +0200
@@ -4155,9 +4155,13 @@
     if (PyUnicode_READY(repunicode) < 0)
         goto onError;
     replen = PyUnicode_GET_LENGTH(repunicode);
-    writer->min_length += replen;
-    if (replen > 1)
+    if (replen > 1) {
+        writer->min_length += replen - 1;
         writer->overallocate = 1;
+        if (_PyUnicodeWriter_Prepare(writer, writer->min_length,
+                            PyUnicode_MAX_CHAR_VALUE(repunicode)) == -1)
+            goto onError;
+    }
     if (_PyUnicodeWriter_WriteStr(writer, repunicode) == -1)
         goto onError;