changeset:   93597:21d1571c0533
parent:      93592:81b5268efff6
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Wed Nov 26 12:11:40 2014 +0200
files:       Python/codecs.c
description:
Issue #19676: Fixed integer overflow issue in "namereplace" error handler.


diff -r 81b5268efff6 -r 21d1571c0533 Python/codecs.c
--- a/Python/codecs.c	Tue Nov 25 18:05:40 2014 -0600
+++ b/Python/codecs.c	Wed Nov 26 12:11:40 2014 +0200
@@ -947,7 +947,8 @@
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
+        int replsize;
         Py_UCS4 c;
         char buffer[256]; /* NAME_MAXLEN */
         if (PyUnicodeEncodeError_GetStart(exc, &start))
@@ -967,17 +968,21 @@
             c = PyUnicode_READ_CHAR(object, i);
             if (ucnhash_CAPI &&
                 ucnhash_CAPI->getname(NULL, c, buffer, sizeof(buffer), 1)) {
-                ressize += 1+1+1+strlen(buffer)+1;
+                replsize = 1+1+1+strlen(buffer)+1;
             }
             else if (c >= 0x10000) {
-                ressize += 1+1+8;
+                replsize = 1+1+8;
             }
             else if (c >= 0x100) {
-                ressize += 1+1+4;
+                replsize = 1+1+4;
             }
             else
-                ressize += 1+1+2;
+                replsize = 1+1+2;
+            if (ressize > PY_SSIZE_T_MAX - replsize)
+                break;
+            ressize += replsize;
         }
+        end = i;
         res = PyUnicode_New(ressize, 127);
         if (res==NULL)
             return NULL;
@@ -1014,6 +1019,7 @@
             *outp++ = Py_hexdigits[c&0xf];
         }
 
+        assert(out == start + ressize);
         assert(_PyUnicode_CheckConsistency(res, 1));
         restuple = Py_BuildValue("(Nn)", res, end);
         Py_DECREF(object);