changeset:   94277:2de90090e486
branch:      3.4
parent:      94272:3a9b1e5fe179
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Mon Jan 26 01:22:54 2015 +0200
files:       Misc/NEWS Objects/unicodeobject.c
description:
Issue #23321: Fixed a crash in str.decode() when error handler returned
replacment string longer than mailformed input data.


diff -r 3a9b1e5fe179 -r 2de90090e486 Misc/NEWS
--- a/Misc/NEWS	Sun Jan 25 15:46:22 2015 -0500
+++ b/Misc/NEWS	Mon Jan 26 01:22:54 2015 +0200
@@ -11,6 +11,9 @@
 Core and Builtins
 -----------------
 
+- Issue #23321: Fixed a crash in str.decode() when error handler returned
+  replacment string longer than mailformed input data.
+
 - Issue #23048: Fix jumping out of an infinite while loop in the pdb.
 
 - Issue #20335: bytes constructor now raises TypeError when encoding or errors
diff -r 3a9b1e5fe179 -r 2de90090e486 Objects/unicodeobject.c
--- a/Objects/unicodeobject.c	Sun Jan 25 15:46:22 2015 -0500
+++ b/Objects/unicodeobject.c	Mon Jan 26 01:22:54 2015 +0200
@@ -4190,9 +4190,13 @@
     if (PyUnicode_READY(repunicode) < 0)
         goto onError;
     replen = PyUnicode_GET_LENGTH(repunicode);
-    writer->min_length += replen;
-    if (replen > 1)
+    if (replen > 1) {
+        writer->min_length += replen - 1;
         writer->overallocate = 1;
+        if (_PyUnicodeWriter_Prepare(writer, writer->min_length,
+                            PyUnicode_MAX_CHAR_VALUE(repunicode)) == -1)
+            goto onError;
+    }
     if (_PyUnicodeWriter_WriteStr(writer, repunicode) == -1)
         goto onError;